NT Domain Authentication Protocol - draft

Luke Kenneth Casson Leighton lkcl at switchboard.net
Wed Oct 1 12:29:18 GMT 1997


attached is a draft protocol, derived from packet traces using NetMon.exe
from Service Pack 1, and from the authentication spec published a few
weeks ago by Paul Ashton (paul at argo.demon.co.uk) and myself.

it contains the SMB NETLOGON and ntlsa transact named pipes necessary to
provide Domain Logon services to NT workstation.  the next version will
contain the UDP \\MAILSLOT\NET\NTLOGON services which are also needed,
and are also deriveable purely from packet traces using NetMon.exe.

the main issue to resolve with this spec is 4-byte SMB-header alignments
at the start of the various "structures".


Luke Kenneth Casson Leighton (lkcl at switchboard.net)
Web site under construction  (http://mailhost.cb1.com/~lkcl)
"Confront difficulties while they are still easy"

NT Domain Authentication
------------------------

1) Structures and notes
-----------------------

- Domain SID is of the format S-revision-version-auth1-auth2...authN.
  e.g S-1-5-123-456-789-123-456.  the 5 could be a sub-revision.

- sizeof VOID* is 32 bits.

- UTIME is 32 bits, indicating time in seconds since 01jan1970.  documented
  in cifs6.txt.

- NTTIME is 64 bits, and is probably documented in cifs6.txt

- any undocumented buffer pointers must be non-zero if the string buffer it
  refers to contains characters.  exactly what value they should be is unknown.
  0x0000 0002 seems to do the trick to indicate that the buffer exists.  a
  NULL buffer pointer indicates that the string buffer is of zero length.

- DOM_SID (domain SID structure) is:

		UINT32             num of sub-authorities in domain SID
        UINT8              SID revision number
        UINT8              num of sub-authorities in domain SID
        UINT8[6]           6 bytes for domain SID
        UINT16[n_subauths] domain SID sub-authorities

- UNIHDR (unicode string header) is:

        UINT16             max length of unicode string
        UINT16             length of unicode string
		UINT32             4 - undocumented.
   
- UNIHDR2 (unicode string header plus buffer pointer) is:

        UNIHDR             unicode string header
		VOID*              undocumented buffer pointer

- UNISTR (unicode string) is:

        UINT16[]           null-terminated string of unicode characters.

- UNISTR2 (aligned unicode string) is:

        UINT8[]            padding to get unicode string 4-byte aligned
                           with the start of the SMB header.
        UINT32             max length of unicode string
        UINT32             0 - undocumented
        UINT32             length of unicode string
        UINT16[]           string of uncode characters.

- DOM_SID2 (domain SID structure, SIDS stored in unicode) is:

        UINT32             5 - SID name use?
        UINT32             0 - undocumented
        UNIHDR2            domain SID unicode string header
        UNISTR             domain SID unicode string
        

- DOM_RID (domain RID structure) is:

        UINT32             5 - well-known SID.  1 - user SID (see ShowACLs)
        UINT32             5 - undocumented
        UINT32             domain RID 
        UINT32             0 - domain index out of above reference domains
        

- LOG_INFO (server, account, client structure) is:

  Note: logon server name starts with two '\' characters and is upper case.
  Note: account name is the logon client name from the LSA Request Challenge,
        with a $ on the end of it, in upper case.

        VOID*       undocumented buffer pointer
        UNISTR2     logon server unicode string
        UNISTR2     account name unicode string
        UINT16      sec_chan - security channel type
        UNISTR2     logon client machine unicode string

- CREDS (credentials + time stamp)

        char[8]     credentials
        UTIME       time stamp
    
- CLNT_INFO (server, account, client structure, client credentials) is:

  Note: whenever this structure appears in a request, you must take a copy
        of the client-calculated credentials received, because they will be
        used in subsequent credential checks.  the presumed intention is to
        maintain an authenticated request/response trail.
        
        LOG_INFO    logon account info
        CREDS       client-calculated credentials + client time

- SAM_INFO (sam logon/logoff id info structure) is:

        CLNT_INFO   client identification/authentication info
        CRED        return credentials - ignored.
        UINT16      logon level
        UINT32      undocumented - auth_level?

        switch (auth_level)
        case 1:
        {
            UINT8[]       ???? padding, for 4-byte alignment with SMB header?
            UNIHDR        domain name unicode header
            UINT32        param control
            UINT64        logon ID
            UNIHDR        user name unicode header
            UNIHDR        workgroup name unicode header
            char[16]      rc4 LM OWF Password
            char[16]      rc4 NT OWF Password
            UNISTR2       domain name unicode string
            UNISTR2       user name unicode string
            UNISTR2       workgroup name unicode string
        }

- GID (group id info) is:

        UINT32      group id
        UINT32      user attributes (only used by NT 3.1 and 3.51)


2) Transact Named Pipe Header/Tail
----------------------------------

2.1 Header
----------

The start of each of the NTLSA and NETLOGON named pipes begins with:

00  UINT8         5 - RPC major version
01  UINT8         0 - RPC minor version
02  UINT8         2 - RPC response packet
03  UINT8         3 - first frag + last frag
04  UINT32        0x0000 0010 - packed data representation
08  UINT16        fragment length - data size (bytes) inc header and tail.
0A  UINT16        0 - authentication length 
0C  UINT32        call identifier.  matches 12th UINT32 of incoming RPC data.
10  UINT32        allocation hint - data size (bytes) minus header and tail.
14  UINT16        0 - presentation context identifier
16  UINT8         0 - cancel count
17  UINT8         0 - reserved
18  ......        start of data (goes on for allocation_hint bytes)


2.2 Tail
--------

The end of each of the NTLSA and NETLOGON named pipes ends with:

    ......        end of data
    UINT32        return code


3) NTLSA Transact Named Pipe
----------------------------
        
2.1) LSA Open Policy
--------------------

Note: The policy handle can be anything you like.

Request:

    no extra data.

Response:

    char[20]  policy handle

    return    0 - indicates success


2.2) LSA Query Info Policy
--------------------------

Note: The info class in response must be the same as that in the request.

Request:

starting from offset 44:

    UINT16    info class (also a policy handle?)

Response:

    VOID*     undocumented buffer pointer
    UINT16    info class (same as info class in request).
    
    switch (info class)
    case 3:
    case 5:
    {
        UINT8[]     ??? padding to get 4-byte alignment with start of SMB header
        UINT16      domain name string length * 2
        UINT16      domain name string length * 2
        VOID*       undocumented domain name string buffer pointer
        VOID*       undocumented domain SID string buffer pointer
        UNISTR      domain name (unicode string)
        DOM_SID     domain SID
    }

    return    0 - indicates success


2.3) LSA Enumerate Trusted Domains
----------------------------------

Request:

    no extra data

Response:

    UINT32     0 - enumeration context
    UINT32     0 - entries read
    UINT32     0 - trust information

    return     0x8000 001a - "no trusted domains" success code


2.4) LSA Open Secret
--------------------

Request:

    no extra data

Response:

    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented

    return    0x0C00 0034 - "no such secret" success code


2.5) LSA Close
--------------

Request:

    no extra data

Response:

    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented

    return    0 - indicates success


2.6) LSA Lookup SIDS
--------------------

Note: num_entries in response must be same as num_entries in request.

Request:

    char[20]           policy handle
	UINT32             num_entries
    VOID*              undocumented domain SID buffer pointer
    VOID*              undocumented domain name buffer pointer
    VOID*[num_entries] undocumented domain SID pointers to be looked up.
    DOM_SID[num_entries] domain SIDs to be looked up.
    char[16]           completely undocumented 16 bytes.

Response:

    VOID*                 undocumented buffer pointer.
    UINT32                num referenced domains?
    VOID*                 undocumented domain name buffer pointer.
    UINT32                32 - max number of entries
    UINT32                4 - num referenced domains?

    UNIHDR2               domain name unicode string header
    UNIHDR2[num_ref_doms] referenced domain unicode string headers

	UNISTR                domain name unicode string
	DOM_SID               domain SID

    DOM_SID[num_ref_doms] referenced domain SIDs

    UINT32                num_entries (listed above)
    VOID*                 undocumented buffer pointer
    UINT32                num_entries (listed above)

    DOM_SID2[num_entries] domain SIDs (from Request, listed above).

    UINT32                num_entries (listed above)

    return                0 - indicates success


2.7) LSA Lookup Names
---------------------

Note: num_entries in response must be same as num_entries in request.

Request:

    char[20]           policy handle
	UINT32             num_entries
	UINT32             num_entries
    VOID*              undocumented domain SID buffer pointer
    VOID*              undocumented domain name buffer pointer
    NAME[num_entries]  names to be looked up.
    char[]             undocumented bytes - falsely translated SID structure?

Response:

    VOID*                 undocumented buffer pointer.
    UINT32                num referenced domains?
    VOID*                 undocumented domain name buffer pointer.
    UINT32                32 - max number of entries
    UINT32                4 - num referenced domains?

    UNIHDR2               domain name unicode string header
    UNIHDR2[num_ref_doms] referenced domain unicode string headers

	UNISTR                domain name unicode string
	DOM_SID               domain SID

    DOM_SID[num_ref_doms] referenced domain SIDs

    UINT32                num_entries (listed above)
    VOID*                 undocumented buffer pointer
    UINT32                num_entries (listed above)

    DOM_RID[num_entries]  domain SIDs (from Request, listed above).

    UINT32                num_entries (listed above)

    return                0 - indicates success

3) NETLOGON rpc Transact Named Pipe
-----------------------------------

3.1) LSA Request Challenge
--------------------------

Note: logon server name starts with two '\' characters and is upper case.
Note: logon client is the machine, not the user.

Note: the initial LanManager password hash, against which the challenge
      is issued, is the machine name itself (lower case).  there will be
      calls issued (LSA Server Password Set) which will change this, later.
      refusing these calls allows you to always deal with the same password
      (i.e the LM# of the machine name in lower case).

Request:

    VOID*       undocumented buffer pointer
    UNISTR2     logon server unicode string
    UNISTR2     logon client unicode string
    char[8]     client challenge

Response:

    char[8]     server challenge

    return    0 - indicates success



3.2) LSA Authenticate 2
--------------------

Note: in between request and response, calculate the client credentials,
      and check them against the client-calculated credentials (this
      process uses the previously received client credentials).
Note: neg_flags in the response is the same as that in the request.
Note: you must take a copy of the client-calculated credentials received
      here, because they will be used in subsequent authentication packets.

Request:

    LOG_INFO    client identification info

    char[8]     client-calculated credentials
    UINT8[]     padding to 4-byte align with start of SMB header.
    UINT32      neg_flags - negotiated flags (usual value is 0x0000 01ff)

Response:

    char[8]     server credentials.
    UINT32      neg_flags - same as neg_flags in request.

    return    0 - indicates success.  failure value unknown.


3.3) LSA Server Password Set
----------------------------

Note: the new password is suspected to be a DES encryption using the old
      password to generate the key.
Note: in between request and response, calculate the client credentials,
      and check them against the client-calculated credentials (this
      process uses the previously received client credentials).
Note: the server credentials are constructed from the client-calculated
      credentials and the client time + 1 second.
Note: you must take a copy of the client-calculated credentials received
      here, because they will be used in subsequent authentication packets.

Request:

    CLNT_INFO   client identification/authentication info
    char[]      new password - undocumented.
    
Response:

    CREDS       server credentials.  server time stamp appears to be ignored.

    return    0 - indicates success; 0xC000 006a indicates failure


3.4) LSA SAM Logon
--------------------

Note: valid_user is True iff the username and password hash are valid for
      the requested domain.

Request:

    SAM_INFO    sam_id structure

Response:

    VOID*       undocumented buffer pointer
    CREDS       server credentials.  server time stamp appears to be ignored.
    
    if (valid_user)
    {
        VOID*             non-zero - undocumented buffer pointer.

        NTTIME            logon time
        NTTIME            logoff time
        NTTIME            kickoff time
        NTTIME            password last set time
        NTTIME            password can change time
        NTTIME            password must change time

        UNIHDR            username unicode string header
        UNIHDR            user's full name unicode string header
        UNIHDR            logon script unicode string header
        UNIHDR            profile path unicode string header
        UNIHDR            home directory unicode string header
        UNIHDR            home directory drive unicode string header

        UINT16            logon count
        UINT16            bad password count

        UINT32            User ID
        UINT32            Group ID
        UINT32            num groups
        VOID*             undocumented buffer pointer to groups.

        UINT32            user flags
        char[16]          unused user session key

        UNIHDR            logon server unicode string header
        UNIHDR            logon domain unicode string header
        VOID*             undocumented logon domain id pointer
        char[40]          unused padding bytes.

        UINT32            0 - num_sids
        VOID*             NULL - undocumented pointer to SIDs.
        
        UNISTR2           username unicode string
        UNISTR2           user's full name unicode string
        UNISTR2           logon script unicode string
        UNISTR2           profile path unicode string
        UNISTR2           home directory unicode string
        UNISTR2           home directory drive unicode string

        UINT32            num groups
        GID[num_groups]   group info

        UNISTR2           logon server unicode string
        UNISTR2           logon domain unicode string

        DOM_SID[2?]       undocumented - domain SIDs
        DOM_SID           domain SID

        UINT32    1 - Authoritative response; 0 - Non-Auth?

        return    0 - indicates success
    }
    else
    {
        VOID*     0x0000 0000 - undocumented buffer pointer 
        UINT32    1 - Authoritative response; 0 - Non-Auth?

        return    0xC000 0064 - indicates failure
    }


3.5) LSA SAM Logoff
--------------------

Note: presumably, the SAM_INFO structure is validated, and a (currently
      undocumented) error code returned if the Logoff is invalid.

Request:

    SAM_INFO    sam_id structure

Response:

    VOID*       undocumented buffer pointer
    CREDS       server credentials.  server time stamp appears to be ignored.



More information about the samba mailing list