format of authorization data in a win2k ticket

[Ben Cox]

Hello Assar,

On September 21, you wrote:
> I did some testing with Heimdal against a Windows 2000 rc1 KDC and
> after having managed to a client on the w2k-box to authenticate to my
> server I got ahold of an encrypted ticket with the extra authorization
> data in it.  The entire contents of the authorization data that I got
> is available at <http://www.sics.se/~assar/add-ticket>.
> [...]
> And the octet string contains lots of uninterpretable data (too me)
> but includes the client name (Administrator), the host name (TERMIT),
> and the first component of the domain name (FOO), and you can also
> find four SIDs in there but I haven't been able to figure out what
> these SIDs belong to.  It's unclear how you would get out the SIDs of
> particular users from the database but it's clear that the SIDs belong
> to this domain since the prefix of them are the same as the SIDs that
> can be found in the registry.
> 
> If anyone can bring some more clarity on the data in the octet string,
> that would be very nice.

I haven't seen any further discussion of this message, so hopefully I
am not duplicating work that has already been done much better by other
people, but I have done some preliminary investigation of the authz
data and below are my results.  I have also included a dump with my
comments as an attached file instead of just including the text, in
the hope that the line breaks will be preserved, since the lines are
fairly wide (>> 80 chars).


Ben Cox <BenC at CoManageCorp>
Development Engineer
CoManage Corporation
+1 412 318-6004

DISCLAIMER: Nothing in this message should be construed as an official
position of CoManage Corporation.


-----------------------------------------------------------
Interpret the first 8 bytes as a long long (64-bit int).  Its value is
4.  This probably indicates the count of segments to follow.

Then, there are 4 16-byte structures.  In each of these, there is a
32-bit tag(?), a 32-bit length, and a 64-bit offset.  These are:

	{ 1,  616,  72 }
	{ 10,  36, 688 }
	{ 6,   20, 728 }
	{ 7,   20, 752 }

Then follow 4 more segments: a 616-byte segment starting at offset 72,
a 36-byte segment starting at offset 688, a 20-byte segment starting
at offset 728, and a 20-byte segment starting at offset 752.  These
offsets are chosen to align to 8-byte (LONGLONG) boundaries.  (Which
is why the last one doesn't start at 748, for example, but 752.)  (All
offsets in this discussion are relative to the start of the 776-byte
octet string.)

The first segment, I haven't figured out the structure of yet.  This
is the segment that contains the first instance of the account name
("Admnistrator"), the hostname ("TERMIT"), the domain name ("FOO"),
and the SID list.  The strings in this segment are in BSTR format (a
32-bit count of unsigned 16-bit Unicode characters, followed by the
characters themselves).  There are 6 SIDs here total.  They are:

	S-1-5-21-602162358-1957994488-854245398
	S-1-5-21-602162358-1957994488-854245398-518
	S-1-5-21-602162358-1957994488-854245398-512
	S-1-5-21-602162358-1957994488-854245398-519
	S-1-5-21-602162358-1957994488-854245398-520
	S-1-5-21-602162358-1957994488-854245398-513

The first SID is almost certainly the SID of your domain itself, as it
is the prefix for the remaining SIDs, each of whose final RID is a
low-valued (and in 3 cases well-known) RID.  The one ending in -518 is
the SID of your domain's schema admins group; 512 is domain admins,
and 513 is domain users (these are all well-known RIDs).  The 519 and
520 ones are not well-known RIDs, but are the first available group
RIDs after the predefined groups.  It is likely that you belong to two
groups defined at your site beyond the standard administrative group
set.  The first SID starts at offset 0x01C4; the first 4 bytes are the
32-bit value 4, which is the number of subauthorities in the SID, then
the SID immediately follows.  The remainder of the SIDs start at
offset 0x20C, and all 5 are consecutive with a prefixed 32-bit value 5
(which is the number of subauthorities in those SIDs).  The list
appears to be terminated at offset 0x2AC with a 32-bit 0 value.


The second segment has 8 bytes that I can't interpret, followed by a
non-NUL-terminated Unicode string (L"Administrator") prefixed with a
16-bit byte count.  (Note: not the same as a BSTR.  Also I say
non-NUL-terminated even though some zero-bytes follow, because the
36-byte length given in the header up top doesn't include the four
0-bytes that follow the string; they appear just to be padding.)


The third and fourth segments begin with 76FF FFFF (probably should be
interpreted as 0xFFFFFF76, or decimal -138), followed by 16 nonzero
bytes.  (Followed by 4 zero bytes, but remember that those appear to
be padding to a quadword boundary.)  I'm guessing that these are
actually encrypted MD5 hashes or MD5 HMACs of the first two segments.
(They might also be GUIDs.)

-------------- next part --------------
----------------------------------------------------------------------
HEADER:

00000000: 0400 0000 0000 0000				LONGLONG: 4

00000008: 0100 0000					DWORD: 1
0000000C: 6802 0000					DWORD: 616
00000010: 4800 0000 0000 0000				LONGLONG: 72

00000018: 0A00 0000					DWORD: 10
0000001C: 2400 0000					DWORD: 36
00000020: B002 0000 0000 0000				LONGLONG: 688

00000028: 0600 0000					DWORD: 6
0000002C: 1400 0000					DWORD: 20
00000030: D802 0000 0000 0000				LONGLONG: 728

00000038: 0700 0000					DWORD: 7
0000003C: 1400 0000					DWORD: 20
00000040: F002 0000 0000 0000				LONGLONG: 752

----------------------------------------------------------------------
SEGMENT 1:

00000048: 0110 0800					?
0000004C: CCCC CCCC					? (uninitialized?)
00000050: 5802 0000 0000 0000				LONGLONG: 600 (length of remainder of this segment)

00000058: 40F2 6700					?

0000005C: 30F2 92AF 4403 BF01				? (timestamp?)
00000064: FFFF FFFF FFFF FF7F				? (note: MAXLONGLONG; "forever"/"never" timestamp?)
0000006C: FFFF FFFF FFFF FF7F				? (MAXLONGLONG)
00000074: 206B 2E1D B6F2 BE01				? (timestamp?)
0000007C: 206B 2E1D B6F2 BE01				? (timestamp?)
00000084: FFFF FFFF FFFF FF7F				? (MAXLONGLONG)

0000008C: 1A00 1A00 E8F8				?

00000092: 0900 0000 0000 04F9				?
0000009A: 0900 0000 0000 04F9				?
000000A2: 0900 0000 0000 04F9				?
000000AA: 0900 0000 0000 04F9				?
000000B2: 0900 0000 0000 04F9				?

000000BA: 0900 0B00 0000 F401 0000 0102 0000 0000	?
000000CA: 0000 0000 0000 2000 0000 0000 0000 0000	?
000000DA: 0000 0000 0000 0000 0000 0C00 0E00 04F9	?
000000EA: 0900 0600 0800 14F9 0900 1CF9 0900 0000	?
000000FA: 0000 0000 0000 1002 0000 0000 0000 0000	?
0000010A: 0000 0000 0000 0000 0000 0000 0000 0000	?
0000011A: 0000 0000 0000 0500 0000 34F9 0900 0000	?
0000012A: 0000 0000 0000 0000 0000			?

00000134: 0D00 0000 0000 0000				QWORD: 13
0000013C: 0D00 0000 4100 6400 6D00 6900 6E00 6900	BSTR("Admini
0000014C: 7300 7400 7200 6100 7400 6F00 7200		strator")

0000015A: 0000 0000 0000 0000 0000 0000 0000 0000	?
0000016A: 0000 0000 0000 0000 0000 0000 0000 0000	?
0000017A: 0000 0000 0000 0000 0000 0000 0000 0000	?
0000018A: 0000 0000 0000 0000 0000 0000 0000		?

00000198: 0700 0000 0000 0000				QWORD: 7
000001A0: 0600 0000 5400 4500 5200 4D00 4900 5400	BSTR("TERMIT")

000001B0: 0400 0000 0000 0000				QWORD: 4
000001B8: 0300 0000 4600 4F00 4F00			BSTR("FOO")

000001C2: 0000						? (padding to dword boundary?)

000001C4: 0400 0000					DWORD: 4 (# of subauths)
000001C8: 0104 0000 0000 0005 1500 0000 B644 E423	SID: S-1-5-21-602162358-
000001D8: F89F B474 16C0 EA32				1957994488-854245398
							(SID of the domain)

000001E0: 0500 0000 5CF9 0900 0700 0000 78F9 0900	?
000001F0: 0700 0000 94F9 0900 0700 0000 B0F9 0900	?
00000200: 0700 0000 CCF9 0900 0700 0000			?

0000020C: 0500 0000					DWORD: 5 (# of subauths)
00000210: 0105 0000 0000 0005 1500 0000 B644 E423	SID: S-1-5-21-602162358-
00000220: F89F B474 16C0 EA32 0602 0000			1957994488-854245398-518
							(SID of schema admins group)

0000022C: 0500 0000					DWORD: 5 (# of subauths)
00000230: 0105 0000 0000 0005 1500 0000 B644 E423	SID: S-1-5-21-602162358-
00000240: F89F B474 16C0 EA32 0002 0000			1957994488-854245398-512
							(SID of domain admins group)

0000024C: 0500 0000					DWORD: 5 (# of subauths)
00000250: 0105 0000 0000 0005 1500 0000 B644 E423	SID: S-1-5-21-602162358-
00000260: F89F B474 16C0 EA32 0702 0000			1957994488-854245398-519

0000026C: 0500 0000					DWORD: 5 (# of subauths)
00000270: 0105 0000 0000 0005 1500 0000 B644 E423	SID: S-1-5-21-602162358-
00000280: F89F B474 16C0 EA32 0802 0000			1957994488-854245398-520

0000028C: 0500 0000					DWORD: 5 (# of subauths)
00000290: 0105 0000 0000 0005 1500 0000 B644 E423	SID: S-1-5-21-602162358-
000002A0: F89F B474 16C0 EA32 0102 0000			1957994488-854245398-513
							(SID of domain users group)

000002AC: 0000 0000					DWORD: 0 (end of SID list?)

----------------------------------------------------------------------
SEGMENT 2:

000002B0: 80EC B561 7603 BF01				? (timestamp?)
000002B8: 1A00						WORD: 26 (# of bytes in string)
000002BA: 4100 6400 6D00 6900 6E00 6900 7300 7400	L"Administ
000002CA: 7200 6100 7400 6F00 7200			rator"
000002D4: 0000 0000					(padding)

	(Note: this string is not a BSTR, as the count of bytes is
	only 16 bits and it counts bytes, not chars.)

----------------------------------------------------------------------
SEGMENT 3:

000002D8: 76FF FFFF					?
000002DC: 3C7F F138 AE11 CDB0 9153 4B17 DA8A 5593	MD5 hash?  (GUID?)
000002EC: 0000 0000					(padding)

----------------------------------------------------------------------
SEGMENT 4:

000002F0: 76FF FFFF					?
000002F4: A886 4DBC DAF8 15FE 8250 9229 6A09 E654	MD5 hash?  (GUID?)
00000304: 0000 0000					(padding)

----------------------------------------------------------------------