summaryrefslogtreecommitdiffstats
path: root/docs/textdocs/cifsntdomain.txt
blob: a72b1723938417e28212b80c289b469270439a3b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
!==
!== cifsntdomain.txt for Samba release 1.9.18alpha5 26 Oct 1997
!==
NT Domain Authentication
------------------------

Authors:	- Luke Kenneth Casson Leighton (lkcl@switchboard.net)
--------	  Copyright (C) 1997 Luke Kenneth Casson Leighton
		- Paul Ashton                  (paul@argo.demon.co.uk)
		  Copyright (C) 1997 Paul Ashton

Version:	0.019 (25oct97)
--------

Distribution:	Unlimited and encouraged, for the purposes of implementation
-------------	and comments.  Feedback welcomed by the authors.

Liability:	Absolutely none accepted implicitly or explicitly, direct
----------	or consequentially, for use, abuse, misuse, lack of use,
		misunderstandings, mistakes, omissions, mis-information for
		anything in or not in, related to or pertaining to this
		document or anything else that a lawyer can think of or not
		think of.

Warning:	Please bear in mind that an incorrect implementation of this
--------	protocol can cause NT workstation to fail irrevocably, for
		which the authors accept no liability (see above).  Please
		contact your vendor if you have any problems.

Sources:	- Packet Traces from Netmonitor (Service Pack 1 and above)
--------	- Paul Ashton and Luke Leighton's other "NT Domain" doc.
		- CIFS documentation - cifs6.txt
		- CIFS documentation - cifsrap2.txt

Original:	http://mailhost.cb1.com/~lkcl/cifsntdomain.txt.
---------	(Controlled copy maintained by lkcl@switchboard.net)

Credits:	- Paul Ashton: loads of work with Net Monitor; 
--------	  understanding the NT authentication system;
		  reference implementation of the NT domain support on which
		  this document is originally based.
		- Linus Nordberg: producing c-code from Paul's crypto spec.
		- Windows Sourcer development team


Contents:
---------

   1) Introduction

   2) Structures and notes

      2.1) Notes
      2.2) Structures

   3) Transact Named Pipe Header/Tail

      3.1) Header
      3.2) Tail

   4) NTLSA Transact Named Pipe

      4.1) LSA Open Policy
      4.2) LSA Query Info Policy
      4.3) LSA Enumerate Trusted Domains
      4.4) LSA Open Secret
      4.5) LSA Close
      4.6) LSA Lookup SIDS
      4.7) LSA Lookup Names

   5) NETLOGON rpc Transact Named Pipe

      5.1) LSA Request Challenge
      5.2) LSA Authenticate 2
      5.3) LSA Server Password Set
      5.4) LSA SAM Logon
      5.5) LSA SAM Logoff

   6) \\MAILSLOT\NET\NTLOGON

      6.1) Query for PDC
      6.2) SAM Logon

   7) SRVSVC Transact Named Pipe

      7.1) Net Share Enum
      7.2) Net Server Get Info


Appendix:
---------

   A1) Cryptographic side of NT Domain Authentication
   
       A1.1) Definitions
       A1.2) Protocol
       A1.3) Comments

   A2) SIDs and RIDs

       A2.1) Well-known SIDs

             A2.1.1) Universal well-known SIDs
             A2.1.2) NT well-known SIDs

       A2.2) Well-known RIDS
      
             A2.2.1) Well-known RID users
             A2.2.2) Well-known RID groups
             A2.2.3) Well-known RID aliases



1) Introduction
---------------


This document contains information to provide an NT workstation with login
services, without the need for an NT server.

It should be possible to select a domain instead of a workgroup (in the NT
workstation's TCP/IP settings) and after the obligatory reboot, type in a
username, password, select a domain and successfully log in.  I would
appreciate any feedback on your experiences with this process, and any
comments, corrections and additions to this document.


The packets described here can be easily derived from (and are probably
better understood using) Netmon.exe.  You will need to use the version
of Netmon that matches your system, in order to correctly decode the
NETLOGON, lsarpc and srvsvc Transact pipes.  This document is derived from
NT Service Pack 1 and its corresponding version of Netmon.  It is intended
that an annotated packet trace be produced, which will likely be more
instructive than this document.

Also needed, to fully implement NT Domain Login Services, is the 
document describing the cryptographic part of the NT authentication.
This document is available from comp.protocols.smb; from the ntsecurity.net
digest and from the samba digest, amongst other sources.

A copy is available from:

http://ntbugtraq.rc.on.ca/SCRIPTS/WA.EXE?A2=ind9708&L=ntbugtraq&O=A&P=2935
http://mailhost.cb1.com/~lkcl/crypt.html


A c-code implementation, provided by Linus Nordberg <linus@incolumitas.se>
of this protocol is available from:

http://samba.anu.edu.au/cgi-bin/mfs/01/digest/1997/97aug/0391.html
http://mailhost.cb1.com/~lkcl/crypt.txt


Also used to provide debugging information is the Check Build version of
NT workstation, and enabling full debugging in NETLOGON.  This is
achieved by setting the following REG_SZ registry key to 0x1ffffff:

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

- Incorrect direct editing of the registry can cause your machine to fail.
  Then again, so can incorrect implementation of this protocol.
  See "Liability:" above.


Bear in mind that each packet over-the-wire will have its origin in an
API call.  Therefore, there are likely to be structures, enumerations
and defines that are usefully documented elsewhere.


This document is by no means complete or authoritative.  Missing sections
include, but are not limited to:

- the meaning (and use by NT) of SIDs and RIDs.

- mappings of RIDs to usernames (and vice-versa).

- what a User ID is and what a Group ID is.

- the exact meaning/definition of various magic constants or enumerations.

- the reply error code and use of that error code when a workstation
  becomes a member of a domain (to be described later).  Failure to
  return this error code will make the workstation report that it is
  already a member of the domain.

- the cryptographic side of the NetrServerPasswordSet command, which would
  allow the workstation to change its password.  This password is used to
  generate the long-term session key.  [It is possible to reject this
  command, and keep the default workstation password].
   

2) Notes and Structures
-----------------------


2.1) Notes
----------

- In the SMB Transact pipes, some "Structures", described here, appear to be
  4-byte aligned with the SMB header, at their start.  Exactly which
  "Structures" need aligning is not precisely known or documented.

- In the UDP NTLOGON Mailslots, some "Structures", described here, appear to be
  2-byte aligned with the start of the mailslot, at their start.

- Domain SID is of the format S-revision-version-auth1-auth2...authN.
  e.g S-1-5-123-456-789-123-456.  the 5 could be a sub-revision.

- any undocumented buffer pointers must be non-zero if the string buffer it
  refers to contains characters.  exactly what value they should be is unknown.
  0x0000 0002 seems to do the trick to indicate that the buffer exists.  a
  NULL buffer pointer indicates that the string buffer is of zero length.
  If the buffer pointer is NULL, then it is suspected that the structure it
  refers to is NOT put into (or taken out of) the SMB data stream.  This is
  empirically derived from, for example, the LSA SAM Logon response packet,
  where if the buffer pointer is NULL, the user information is not inserted
  into the data stream.  Exactly what happens with an array of buffer pointers
  is not known, although an educated guess can be made.

- an array of structures (a container) appears to have a count and a pointer.
  if the count is zero, the pointer is also zero.  no further data is put
  into or taken out of the SMB data stream.  if the count is non-zero, then
  the pointer is also non-zero.  immediately following the pointer is the
  count again, followed by an array of container sub-structures.  the count
  appears a third time after the last sub-structure.

  

2.2) Structures
---------------

- sizeof VOID* is 32 bits.

- sizeof char is 8 bits.

- UTIME is 32 bits, indicating time in seconds since 01jan1970.  documented
  in cifs6.txt (section 3.5 page, page 30).

- NTTIME is 64 bits.  documented in cifs6.txt (section 3.5 page, page 30).

- DOM_SID (domain SID structure) :

        UINT32             num of sub-authorities in domain SID
        UINT8              SID revision number
        UINT8              num of sub-authorities in domain SID
        UINT8[6]           6 bytes for domain SID - Identifier Authority.
        UINT16[n_subauths] domain SID sub-authorities

  Note: the domain SID is documented elsewhere.

- STR (string) :

        char[]             null-terminated string of ascii characters.

- UNIHDR (unicode string header) :

        UINT16             length of unicode string
        UINT16             max length of unicode string
        UINT32             4 - undocumented.
   
- UNIHDR2 (unicode string header plus buffer pointer) :

        UNIHDR             unicode string header
        VOID*              undocumented buffer pointer

- UNISTR (unicode string) :

        UINT16[]           null-terminated string of unicode characters.

- NAME (length-indicated unicode string) :

        UINT32             length of unicode string
        UINT16[]           null-terminated string of unicode characters.

- UNISTR2 (aligned unicode string) :

        UINT8[]            padding to get unicode string 4-byte aligned
                           with the start of the SMB header.
        UINT32             max length of unicode string
        UINT32             0 - undocumented
        UINT32             length of unicode string
        UINT16[]           string of uncode characters.

- POL_HND (LSA policy handle) :

    char[20]           policy handle

- DOM_SID2 (domain SID structure, SIDS stored in unicode) :

        UINT32             5 - SID type
        UINT32             0 - undocumented
        UNIHDR2            domain SID unicode string header
        UNISTR             domain SID unicode string

  Note:	there is a conflict between the unicode string header and the
	unicode string itself as to which to use to indicate string
	length.  this will need to be resolved.

  Note:	the SID type indicates, for example, an alias; a well-known group etc.
	this is documented somewhere.

- DOM_RID (domain RID structure) :

        UINT32             5 - well-known SID.  1 - user SID (see ShowACLs)
        UINT32             5 - undocumented
        UINT32             domain RID 
        UINT32             0 - domain index out of above reference domains
        

- LOG_INFO (server, account, client structure) :

  Note:	logon server name starts with two '\' characters and is upper case.

  Note:	account name is the logon client name from the LSA Request Challenge,
	with a $ on the end of it, in upper case.

        VOID*       undocumented buffer pointer
        UNISTR2     logon server unicode string
        UNISTR2     account name unicode string
        UINT16      sec_chan - security channel type
        UNISTR2     logon client machine unicode string

- CLNT_SRV (server, client names structure) :

  Note:	logon server name starts with two '\' characters and is upper case.

        VOID*       undocumented buffer pointer
        UNISTR2     logon server unicode string
        VOID*       undocumented buffer pointer
        UNISTR2     logon client machine unicode string

- CREDS (credentials + time stamp)

        char[8]     credentials
        UTIME       time stamp
    
- CLNT_INFO2 (server, client structure, client credentials) :

  Note: whenever this structure appears in a request, you must take a copy
	of the client-calculated credentials received, because they will be
	used in subsequent credential checks.  the presumed intention is to
	maintain an authenticated request/response trail.
        
        CLNT_SRV     client and server names
        UINT8[]      ???? padding, for 4-byte alignment with SMB header.
        VOID*        pointer to client credentials.
        CREDS        client-calculated credentials + client time

- CLNT_INFO (server, account, client structure, client credentials) :

  Note: whenever this structure appears in a request, you must take a copy
	of the client-calculated credentials received, because they will be
	used in subsequent credential checks.  the presumed intention is to
	maintain an authenticated request/response trail.
        
        LOG_INFO    logon account info
        CREDS       client-calculated credentials + client time

- ID_INFO_1 (id info structure, auth level 1) :

    VOID*         ptr_id_info_1
    UNIHDR        domain name unicode header
    UINT32        param control
    UINT64        logon ID
    UNIHDR        user name unicode header
    UNIHDR        workgroup name unicode header
    char[16]      rc4 LM OWF Password
    char[16]      rc4 NT OWF Password
    UNISTR2       domain name unicode string
    UNISTR2       user name unicode string
    UNISTR2       workstation name unicode string

- SAM_INFO (sam logon/logoff id info structure) :

  Note: presumably, the return credentials is supposedly for the server to
        verify that the credential chain hasn't been compromised.

        CLNT_INFO2  client identification/authentication info
        VOID*       pointer to return credentials.
        CRED        return credentials - ignored.
        UINT16      logon level
        UINT16      switch value

        switch (switch_value)
        case 1:
        {
            ID_INFO_1     id_info_1;
        }

- GID (group id info) :

        UINT32      group id
        UINT32      user attributes (only used by NT 3.1 and 3.51)

- DOM_REF (domain reference info) :

        VOID*                    undocumented buffer pointer.
        UINT32                   num referenced domains?
        VOID*                    undocumented domain name buffer pointer.
        UINT32                   32 - max number of entries
        UINT32                   4 - num referenced domains?

        UNIHDR2                  domain name unicode string header
        UNIHDR2[num_ref_doms-1]  referenced domain unicode string headers

        UNISTR                   domain name unicode string
        DOM_SID[num_ref_doms]    referenced domain SIDs

- DOM_INFO (domain info, levels 3 and 5 are the same)) :

        UINT8[]     ??? padding to get 4-byte alignment with start of SMB header
        UINT16      domain name string length * 2
        UINT16      domain name string length * 2
        VOID*       undocumented domain name string buffer pointer
        VOID*       undocumented domain SID string buffer pointer
        UNISTR2     domain name (unicode string)
        DOM_SID     domain SID

- USER_INFO (user logon info) :

    Note: it would be nice to know what the 16 byte user session key is for.

        NTTIME            logon time
        NTTIME            logoff time
        NTTIME            kickoff time
        NTTIME            password last set time
        NTTIME            password can change time
        NTTIME            password must change time

        UNIHDR            username unicode string header
        UNIHDR            user's full name unicode string header
        UNIHDR            logon script unicode string header
        UNIHDR            profile path unicode string header
        UNIHDR            home directory unicode string header
        UNIHDR            home directory drive unicode string header

        UINT16            logon count
        UINT16            bad password count

        UINT32            User ID
        UINT32            Group ID
        UINT32            num groups
        VOID*             undocumented buffer pointer to groups.

        UINT32            user flags
        char[16]          user session key

        UNIHDR            logon server unicode string header
        UNIHDR            logon domain unicode string header
        VOID*             undocumented logon domain id pointer
        char[40]          40 undocumented padding bytes.  future expansion?

        UINT32            0 - num_other_sids?
        VOID*             NULL - undocumented pointer to other domain SIDs.
        
        UNISTR2           username unicode string
        UNISTR2           user's full name unicode string
        UNISTR2           logon script unicode string
        UNISTR2           profile path unicode string
        UNISTR2           home directory unicode string
        UNISTR2           home directory drive unicode string

        UINT32            num groups
        GID[num_groups]   group info

        UNISTR2           logon server unicode string
        UNISTR2           logon domain unicode string

        DOM_SID           domain SID
        DOM_SID[num_sids] other domain SIDs?

- SH_INFO_1_PTR (pointers to level 1 share info strings):

Note:	see cifsrap2.txt section5, page 10.

	0 for shi1_type indicates a  Disk.
	1 for shi1_type indicates a  Print Queue.
	2 for shi1_type indicates a  Device.
	3 for shi1_type indicates an IPC pipe.
	0x8000 0000 (top bit set in shi1_type) indicates a hidden share.

        VOID*        shi1_netname - pointer to net name
        UINT32       shi1_type    - type of share.  0 - undocumented.
        VOID*        shi1_remark  - pointer to comment.

- SH_INFO_1_STR (level 1 share info strings) :

        UNISTR2      shi1_netname - unicode string of net name
        UNISTR2      shi1_remark  - unicode string of comment.

- SHARE_INFO_1_CTR :

    share container with 0 entries:

        UINT32        0 - EntriesRead
        UINT32        0 - Buffer

    share container with > 0 entries:

        UINT32                      EntriesRead
        UINT32                      non-zero - Buffer
        UINT32                      EntriesRead

        SH_INFO_1_PTR[EntriesRead]  share entry pointers
        SH_INFO_1_STR[EntriesRead]  share entry strings

        UINT8[]                     padding to get unicode string 4-byte
                                    aligned with start of the SMB header.
        UINT32                      EntriesRead
    	UINT32                      0 - padding

- SERVER_INFO_101 :

Note:	see cifs6.txt section 6.4 - the fields described therein will be
	of assistance here.  for example, the type listed below is the
	same as fServerType, which is described in 6.4.1.

	SV_TYPE_WORKSTATION        0x00000001  All workstations
	SV_TYPE_SERVER             0x00000002  All servers
	SV_TYPE_SQLSERVER          0x00000004  Any server running with SQL
	                                       server
	SV_TYPE_DOMAIN_CTRL        0x00000008  Primary domain controller
	SV_TYPE_DOMAIN_BAKCTRL     0x00000010  Backup domain controller
	SV_TYPE_TIME_SOURCE        0x00000020  Server running the timesource
					       service
	SV_TYPE_AFP                0x00000040  Apple File Protocol servers
	SV_TYPE_NOVELL             0x00000080  Novell servers
	SV_TYPE_DOMAIN_MEMBER      0x00000100  Domain Member
	SV_TYPE_PRINTQ_SERVER      0x00000200  Server sharing print queue
	SV_TYPE_DIALIN_SERVER      0x00000400  Server running dialin service.
	SV_TYPE_XENIX_SERVER       0x00000800  Xenix server
	SV_TYPE_NT                 0x00001000  NT server
	SV_TYPE_WFW                0x00002000  Server running Windows for

	SV_TYPE_SERVER_NT          0x00008000  Windows NT non DC server
	SV_TYPE_POTENTIAL_BROWSER  0x00010000  Server that can run the browser
	                                       service
	SV_TYPE_BACKUP_BROWSER     0x00020000  Backup browser server
	SV_TYPE_MASTER_BROWSER     0x00040000  Master browser server
	SV_TYPE_DOMAIN_MASTER      0x00080000  Domain Master Browser server
	SV_TYPE_LOCAL_LIST_ONLY    0x40000000  Enumerate only entries marked
	                                       "local"
	SV_TYPE_DOMAIN_ENUM        0x80000000  Enumerate Domains. The pszServer
	                                       and pszDomain parameters must be
	                                       NULL.

        UINT32        500 - platform_id
        VOID*         pointer to name
        UINT32        5 - major version
        UINT32        4 - minor version
        UINT32        type (SV_TYPE_... bit field)
        VOID*         pointer to comment

        UNISTR2       sv101_name - unicode string of server name
        UNISTR2       sv_101_comment  - unicode string of server comment.

        UINT8[]       padding to get unicode string 4-byte
                      aligned with start of the SMB header.



3) Transact Named Pipe Header/Tail
----------------------------------

Interesting note: if you set packed data representation to 0x0100 0000 then
all 4-byte and 2-byte word ordering is turned around.

3.1) Header
-----------

The start of each of the NTLSA and NETLOGON named pipes begins with:

00  UINT8         5 - RPC major version
01  UINT8         0 - RPC minor version
02  UINT8         2 - RPC response packet
03  UINT8         3 - first frag + last frag
04  UINT32        0x1000 0000 - packed data representation
08  UINT16        fragment length - data size (bytes) inc header and tail.
0A  UINT16        0 - authentication length 
0C  UINT32        call identifier.  matches 12th UINT32 of incoming RPC data.
10  UINT32        allocation hint - data size (bytes) minus header and tail.
14  UINT16        0 - presentation context identifier
16  UINT8         0 - cancel count
17  UINT8         in replies: 0 - reserved; in requests: opnum - see #defines.
18  ......        start of data (goes on for allocation_hint bytes)


3.2 Tail
--------

The end of each of the NTLSA and NETLOGON named pipes ends with:

    ......        end of data
    UINT32        return code



4) NTLSA Transact Named Pipe
----------------------------
        
Defines for this pipe, identifying the query are:

- LSA Open Policy:               0x2c
- LSA Query Info Policy:         0x07
- LSA Enumerate Trusted Domains: 0x0d
- LSA Open Secret:               0xff
- LSA Lookup SIDs:               0xfe
- LSA Lookup Names:              0xfd
- LSA Close:                     0x00


4.1) LSA Open Policy
--------------------

Note:	The policy handle can be anything you like.

Request:

    no extra data.

Response:

    POL_HND   LSA policy handle

    return    0 - indicates success


4.2) LSA Query Info Policy
--------------------------

Note:	The info class in response must be the same as that in the request.

Request:

    POL_HND   LSA policy handle
    UINT16    info class (also a policy handle?)

Response:

    VOID*     undocumented buffer pointer
    UINT16    info class (same as info class in request).
    
    switch (info class)
    case 3:
    case 5:
    {
        DOM_INFO domain info, levels 3 and 5 (are the same).
    }

    return    0 - indicates success


4.3) LSA Enumerate Trusted Domains
----------------------------------

Request:

    no extra data

Response:

    UINT32     0 - enumeration context
    UINT32     0 - entries read
    UINT32     0 - trust information

    return     0x8000 001a - "no trusted domains" success code


4.4) LSA Open Secret
--------------------

Request:

    no extra data

Response:

    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented

    return    0x0C00 0034 - "no such secret" success code


4.5) LSA Close
--------------

Request:

    no extra data

Response:

    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented
    UINT32    0 - undocumented

    return    0 - indicates success


4.6) LSA Lookup SIDS
--------------------

Note:	num_entries in response must be same as num_entries in request.

Request:

    POL_HND            LSA policy handle
    UINT32             num_entries
    VOID*              undocumented domain SID buffer pointer
    VOID*              undocumented domain name buffer pointer
    VOID*[num_entries] undocumented domain SID pointers to be looked up.
    DOM_SID[num_entries] domain SIDs to be looked up.
    char[16]           completely undocumented 16 bytes.

Response:

    DOM_REF               domain reference response

    UINT32                num_entries (listed above)
    VOID*                 undocumented buffer pointer

    UINT32                num_entries (listed above)
    DOM_SID2[num_entries] domain SIDs (from Request, listed above).

    UINT32                num_entries (listed above)

    return                0 - indicates success


4.7) LSA Lookup Names
---------------------

Note:	num_entries in response must be same as num_entries in request.

Request:

    POL_HND            LSA policy handle
    UINT32             num_entries
    UINT32             num_entries
    VOID*              undocumented domain SID buffer pointer
    VOID*              undocumented domain name buffer pointer
    NAME[num_entries]  names to be looked up.
    char[]             undocumented bytes - falsely translated SID structure?

Response:

    DOM_REF               domain reference response

    UINT32                num_entries (listed above)
    VOID*                 undocumented buffer pointer

    UINT32                num_entries (listed above)
    DOM_RID[num_entries]  domain SIDs (from Request, listed above).

    UINT32                num_entries (listed above)

    return                0 - indicates success



5) NETLOGON rpc Transact Named Pipe
-----------------------------------

Defines for this pipe, identifying the query are:

- LSA Request Challenge:         0x04
- LSA Server Password Set:       0x06
- LSA SAM Logon:                 0x02
- LSA SAM Logoff:                0xfc
- LSA Auth 2:                    0x0f
- LSA Logon Control:             0x0e


5.1) LSA Request Challenge
--------------------------

Note:	logon server name starts with two '\' characters and is upper case.

Note:	logon client is the machine, not the user.

Note:	the initial LanManager password hash, against which the challenge
	is issued, is the machine name itself (lower case).  there will be
	calls issued (LSA Server Password Set) which will change this, later.
	refusing these calls allows you to always deal with the same password
	(i.e the LM# of the machine name in lower case).

Request:

    VOID*       undocumented buffer pointer
    UNISTR2     logon server unicode string
    UNISTR2     logon client unicode string
    char[8]     client challenge

Response:

    char[8]     server challenge

    return    0 - indicates success



5.2) LSA Authenticate 2
-----------------------

Note:	in between request and response, calculate the client credentials,
	and check them against the client-calculated credentials (this
	process uses the previously received client credentials).

Note:	neg_flags in the response is the same as that in the request.

Note:	you must take a copy of the client-calculated credentials received
	here, because they will be used in subsequent authentication packets.

Request:

    LOG_INFO    client identification info

    char[8]     client-calculated credentials
    UINT8[]     padding to 4-byte align with start of SMB header.
    UINT32      neg_flags - negotiated flags (usual value is 0x0000 01ff)

Response:

    char[8]     server credentials.
    UINT32      neg_flags - same as neg_flags in request.

    return    0 - indicates success.  failure value unknown.


5.3) LSA Server Password Set
----------------------------

Note:	the new password is suspected to be a DES encryption using the old
	password to generate the key.

Note:	in between request and response, calculate the client credentials,
	and check them against the client-calculated credentials (this
	process uses the previously received client credentials).

Note:	the server credentials are constructed from the client-calculated
	credentials and the client time + 1 second.

Note:	you must take a copy of the client-calculated credentials received
	here, because they will be used in subsequent authentication packets.

Request:

    CLNT_INFO   client identification/authentication info
    char[]      new password - undocumented.
    
Response:

    CREDS       server credentials.  server time stamp appears to be ignored.

    return    0 - indicates success; 0xC000 006a indicates failure


5.4) LSA SAM Logon
------------------

Note:	valid_user is True iff the username and password hash are valid for
	the requested domain.

Request:

    SAM_INFO    sam_id structure

Response:

    VOID*       undocumented buffer pointer
    CREDS       server credentials.  server time stamp appears to be ignored.
    
    if (valid_user)
    {
		UINT16      3 - switch value indicating USER_INFO structure.
        VOID*     non-zero - pointer to USER_INFO structure
        USER_INFO user logon information

        UINT32    1 - Authoritative response; 0 - Non-Auth?

        return    0 - indicates success
    }
    else
    {
		UINT16    0 - switch value.  value to indicate no user presumed.
        VOID*     0x0000 0000 - indicates no USER_INFO structure.

        UINT32    1 - Authoritative response; 0 - Non-Auth?

        return    0xC000 0064 - NT_STATUS_NO_SUCH_USER.
    }


5.5) LSA SAM Logoff
--------------------

Note:	presumably, the SAM_INFO structure is validated, and a (currently
	undocumented) error code returned if the Logoff is invalid.

Request:

    SAM_INFO    sam_id structure

Response:

    VOID*       undocumented buffer pointer
    CREDS       server credentials.  server time stamp appears to be ignored.

    return      0 - indicates success.  undocumented failure indication.


6) \\MAILSLOT\NET\NTLOGON
-------------------------

Note:	mailslots will contain a response mailslot, to which the response
	should be sent.  the target NetBIOS name is REQUEST_NAME<20>, where
	REQUEST_NAME is the name of the machine that sent the request.


6.1) Query for PDC
------------------

Note:	NTversion, LMNTtoken, LM20token in response are the same as those
	given in the request.

Request:

    UINT16         0x0007 - Query for PDC
    STR            machine name
    STR            response mailslot
    UINT8[]        padding to 2-byte align with start of mailslot.
    UNISTR         machine name
    UINT32         NTversion
    UINT16         LMNTtoken
    UINT16         LM20token

Response:

    UINT16         0x000A - Respose to Query for PDC
    STR            machine name (in uppercase)
    UINT8[]        padding to 2-byte align with start of mailslot.
    UNISTR         machine name
    UNISTR         domain name
    UINT32         NTversion (same as received in request)
    UINT16         LMNTtoken (same as received in request)
    UINT16         LM20token (same as received in request)


6.2) SAM Logon
--------------

Note:	machine name in response is preceded by two '\' characters.

Note:	NTversion, LMNTtoken, LM20token in response are the same as those
	given in the request.

Note:	user name in the response is presumably the same as that in the request.

Request:

    UINT16         0x0012 - SAM Logon
    UINT16         request count
    UNISTR         machine name
    UNISTR         user name
    STR            response mailslot
    UINT32         alloweable account
    UINT32         domain SID size
    char[sid_size] domain SID, of sid_size bytes.
    UINT8[]        ???? padding to 4? 2? -byte align with start of mailslot.
    UINT32         NTversion
    UINT16         LMNTtoken
    UINT16         LM20token
    
Response:

    UINT16         0x0013 - Response to SAM Logon
    UNISTR         machine name
    UNISTR         user name - workstation trust account
    UNISTR         domain name 
    UINT32         NTversion
    UINT16         LMNTtoken
    UINT16         LM20token



7) SRVSVC Transact Named Pipe
-----------------------------


Defines for this pipe, identifying the query are:

- Net Share Enum :              0x0f
- Net Server Get Info :         0x15


7.1) Net Share Enum
------------------

Note:	share level and switch value in the response are presumably the 
	same as those in the request.

Note:	cifsrap2.txt (section 5) may be of limited assistance here.

Request:

    VOID*             pointer (to server name?)
	UNISTR2           server name

    UINT8[]           padding to get unicode string 4-byte aligned
                      with the start of the SMB header.

    UINT32            share level
    UINT32            switch value

    VOID*             pointer to SHARE_INFO_1_CTR
    SHARE_INFO_1_CTR  share info with 0 entries

    UINT32            preferred maximum length (0xffff ffff)

Response:

    UINT32            share level
    UINT32            switch value

    VOID*             pointer to SHARE_INFO_1_CTR
    SHARE_INFO_1_CTR  share info (only added if share info ptr is non-zero)

    return            0 - indicates success


7.2) Net Server Get Info
------------------

Note:	level is the same value as in the request.

Request:

	UNISTR2           server name
    UINT32            switch level

Response:

    UINT32            switch level
    VOID*             pointer to SERVER_INFO_101

    SERVER_INFO_101   server info (only added if server info ptr is non-zero)

    return            0 - indicates success



Appendix
--------

A1) Cryptographic side of NT Domain Authentication
--------------------------------------------------


A1.1) Definitions
-----------------

Add(A1,A2): Intel byte ordered addition of corresponding 4 byte words
in arrays A1 and A2

E(K,D): DES ECB encryption of 8 byte data D using 7 byte key K

lmowf(): Lan man hash

ntowf(): NT hash

PW: md4(machine_password) == md4(lsadump $machine.acc) ==
pwdump(machine$) (initially) == md4(lmowf(unicode(machine)))

RC4(K,Lk,D,Ld): RC4 encryption of data D of length Ld with key K of
length Lk

v[m..n(,l)]: subset of v from bytes m to n, optionally padded with
zeroes to length l

Cred(K,D): E(K[7..7,7],E(K[0..6],D)) computes a credential

Time(): 4 byte current time

Cc,Cs: 8 byte client and server challenges Rc,Rs: 8 byte client and
server credentials


A1.2) Protocol
--------------

C->S ReqChal,Cc S->C Cs

C & S compute session key Ks = E(PW[9..15],E(PW[0..6],Add(Cc,Cs)))

C: Rc = Cred(Ks,Cc) C->S Authenticate,Rc S: Rs = Cred(Ks,Cs),
assert(Rc == Cred(Ks,Cc)) S->C Rs C: assert(Rs == Cred(Ks,Cs))

On joining the domain the client will optionally attempt to change its
password and the domain controller may refuse to update it depending
on registry settings. This will also occur weekly afterwards.

C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc) C->S ServerPasswordSet,Rc',Tc,
rc4(Ks[0..7,16],lmowf(randompassword()) C: Rc = Cred(Ks,Rc+Tc+1) S:
assert(Rc' == Cred(Ks,Rc+Tc)), Ts = Time() S: Rs' = Cred(Ks,Rs+Tc+1)
S->C Rs',Ts C: assert(Rs' == Cred(Ks,Rs+Tc+1)) S: Rs = Rs'

User: U with password P wishes to login to the domain (incidental data
such as workstation and domain omitted)

C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc) C->S NetLogonSamLogon,Rc',Tc,U,
rc4(Ks[0..7,16],16,ntowf(P),16), rc4(Ks[0..7,16],16,lmowf(P),16) S:
assert(Rc' == Cred(Ks,Rc+Tc)) assert(passwords match those in SAM) S:
Ts = Time()

S->C Cred(Ks,Cred(Ks,Rc+Tc+1)),userinfo(logon script,UID,SIDs,etc) C:
assert(Rs == Cred(Ks,Cred(Rc+Tc+1)) C: Rc = Cred(Ks,Rc+Tc+1)


A1.3) Comments
--------------

On first joining the domain the session key could be computed by
anyone listening in on the network as the machine password has a well
known value. Until the machine is rebooted it will use this session
key to encrypt NT and LM one way functions of passwords which are
password equivalents. Any user who logs in before the machine has been
rebooted a second time will have their password equivalent exposed. Of
course the new machine password is exposed at this time anyway.

None of the returned user info such as logon script, profile path and
SIDs *appear* to be protected by anything other than the TCP checksum.

The server time stamps appear to be ignored.

The client sends a ReturnAuthenticator in the SamLogon request which I
can't find a use for.  However its time is used as the timestamp
returned by the server.

The password OWFs should NOT be sent over the network reversibly
encrypted. They should be sent using RC4(Ks,md4(owf)) with the server
computing the same function using the owf values in the SAM.


A2) SIDs and RIDs
-----------------

SIDs and RIDs are well documented elsewhere.

A SID is an NT Security ID (see DOM_SID structure).  They are of the form:

	S-revision-NN-SubAuth1-SubAuth2-SubAuth3... 
	S-revision-0xNNNNNNNNNNNN-SubAuth1-SubAuth2-SubAuth3...

currently, the SID revision is 1.
The Sub-Authorities are known as Relative IDs (RIDs).


A2.1) Well-known SIDs
---------------------


A2.1.1) Universal well-known SIDs
---------------------------------

	Null SID                     S-1-0-0
	World                        S-1-1-0
	Local                        S-1-2-0
	Creator Owner ID             S-1-3-0
	Creator Group ID             S-1-3-1
	Creator Owner Server ID      S-1-3-2
	Creator Group Server ID      S-1-3-3
	
	(Non-unique IDs)             S-1-4


A2.1.2) NT well-known SIDs
--------------------------

	NT Authority          S-1-5
	Dialup                S-1-5-1

	Network               S-1-5-2
	Batch                 S-1-5-3
	Interactive           S-1-5-4
	Service               S-1-5-6
	AnonymousLogon        S-1-5-7       (aka null logon session)
	Proxy                 S-1-5-8
	ServerLogon           S-1-5-8       (aka domain controller account)
	
	(Logon IDs)           S-1-5-5-X-Y
	
	(NT non-unique IDs)   S-1-5-0x15-...
	
	(Built-in domain)     s-1-5-0x20
	


A2.2) Well-known RIDS
---------------------

A RID is a sub-authority value, as part of either a SID, or in the case
of Group RIDs, part of the DOM_GID structure, in the USER_INFO_1
structure, in the LSA SAM Logon response.


A2.2.1) Well-known RID users
----------------------------

	DOMAIN_USER_RID_ADMIN          0x0000 01F4
	DOMAIN_USER_RID_GUEST          0x0000 01F5



A2.2.2) Well-known RID groups
----------------------------

	DOMAIN_GROUP_RID_ADMINS        0x0000 0200
	DOMAIN_GROUP_RID_USERS         0x0000 0201
	DOMAIN_GROUP_RID_GUESTS        0x0000 0202



A2.2.3) Well-known RID aliases
------------------------------

	DOMAIN_ALIAS_RID_ADMINS        0x0000 0220
	DOMAIN_ALIAS_RID_USERS         0x0000 0221
	DOMAIN_ALIAS_RID_GUESTS        0x0000 0222
	DOMAIN_ALIAS_RID_POWER_USERS   0x0000 0223

	DOMAIN_ALIAS_RID_ACCOUNT_OPS   0x0000 0224
	DOMAIN_ALIAS_RID_SYSTEM_OPS    0x0000 0225
	DOMAIN_ALIAS_RID_PRINT_OPS     0x0000 0226
	DOMAIN_ALIAS_RID_BACKUP_OPS    0x0000 0227

	DOMAIN_ALIAS_RID_REPLICATOR    0x0000 0228