📄 ntmsv1_0.h
字号:
#define MSV1_0_AV_FLAG_FORCE_GUEST 0x00000001
// this is an MSV1_0 private data structure, defining the layout of an NTLM3 response, as sent by a
// client in the NtChallengeResponse field of the NETLOGON_NETWORK_INFO structure. If can be differentiated
// from an old style NT response by its length. This is crude, but it needs to pass through servers and
// the servers' DCs that do not understand NTLM3 but that are willing to pass longer responses.
typedef struct _MSV1_0_NTLM3_RESPONSE {
UCHAR Response[MSV1_0_NTLM3_RESPONSE_LENGTH]; // hash of OWF of password with all the following fields
UCHAR RespType; // id number of response; current is 1
UCHAR HiRespType; // highest id number understood by client
USHORT Flags; // reserved; must be sent as zero at this version
ULONG MsgWord; // 32 bit message from client to server (for use by auth protocol)
ULONGLONG TimeStamp; // time stamp when client generated response -- NT system time, quad part
UCHAR ChallengeFromClient[MSV1_0_CHALLENGE_LENGTH];
ULONG AvPairsOff; // offset to start of AvPairs (to allow future expansion)
UCHAR Buffer[1]; // start of buffer with AV pairs (or future stuff -- so use the offset)
} MSV1_0_NTLM3_RESPONSE, *PMSV1_0_NTLM3_RESPONSE;
#define MSV1_0_NTLM3_INPUT_LENGTH (sizeof(MSV1_0_NTLM3_RESPONSE) - MSV1_0_NTLM3_RESPONSE_LENGTH)
#define MSV1_0_NTLM3_MIN_NT_RESPONSE_LENGTH RTL_SIZEOF_THROUGH_FIELD(MSV1_0_NTLM3_RESPONSE, AvPairsOff)
typedef enum {
MsvAvEOL, // end of list
MsvAvNbComputerName, // server's computer name -- NetBIOS
MsvAvNbDomainName, // server's domain name -- NetBIOS
MsvAvDnsComputerName, // server's computer name -- DNS
MsvAvDnsDomainName, // server's domain name -- DNS
MsvAvDnsTreeName, // server's tree name -- DNS
MsvAvFlags // server's extended flags -- DWORD mask
} MSV1_0_AVID;
typedef struct _MSV1_0_AV_PAIR {
USHORT AvId;
USHORT AvLen;
// Data is treated as byte array following structure
} MSV1_0_AV_PAIR, *PMSV1_0_AV_PAIR;
///////////////////////////////////////////////////////////////////////////////
// //
// CALL PACKAGE Related Data Structures //
// //
///////////////////////////////////////////////////////////////////////////////
//
// MSV1.0 LsaCallAuthenticationPackage() submission and response
// message types.
//
typedef enum _MSV1_0_PROTOCOL_MESSAGE_TYPE {
MsV1_0Lm20ChallengeRequest = 0, // Both submission and response
MsV1_0Lm20GetChallengeResponse, // Both submission and response
MsV1_0EnumerateUsers, // Both submission and response
MsV1_0GetUserInfo, // Both submission and response
MsV1_0ReLogonUsers, // Submission only
MsV1_0ChangePassword, // Both submission and response
MsV1_0ChangeCachedPassword, // Both submission and response
MsV1_0GenericPassthrough, // Both submission and response
MsV1_0CacheLogon, // Submission only, no response
MsV1_0SubAuth, // Both submission and response
MsV1_0DeriveCredential, // Both submission and response
MsV1_0CacheLookup, // Both submission and response
MsV1_0SetProcessOption, // Submission only, no response
} MSV1_0_PROTOCOL_MESSAGE_TYPE, *PMSV1_0_PROTOCOL_MESSAGE_TYPE;
// end_ntsecapi
//
// MsV1_0Lm20ChallengeRequest submit buffer and response
//
typedef struct _MSV1_0_LM20_CHALLENGE_REQUEST {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
} MSV1_0_LM20_CHALLENGE_REQUEST, *PMSV1_0_LM20_CHALLENGE_REQUEST;
typedef struct _MSV1_0_LM20_CHALLENGE_RESPONSE {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
UCHAR ChallengeToClient[MSV1_0_CHALLENGE_LENGTH];
} MSV1_0_LM20_CHALLENGE_RESPONSE, *PMSV1_0_LM20_CHALLENGE_RESPONSE;
//
// MsV1_0Lm20GetChallengeResponse submit buffer and response
//
#define USE_PRIMARY_PASSWORD 0x01
#define RETURN_PRIMARY_USERNAME 0x02
#define RETURN_PRIMARY_LOGON_DOMAINNAME 0x04
#define RETURN_NON_NT_USER_SESSION_KEY 0x08
#define GENERATE_CLIENT_CHALLENGE 0x10
#define GCR_NTLM3_PARMS 0x20
#define GCR_TARGET_INFO 0x40 // ServerName field contains target info AV pairs
#define RETURN_RESERVED_PARAMETER 0x80 // was 0x10
#define GCR_ALLOW_NTLM 0x100 // allow the use of NTLM
#define GCR_USE_OEM_SET 0x200 // response uses oem character set
#define GCR_MACHINE_CREDENTIAL 0x400
#define GCR_USE_OWF_PASSWORD 0x800 // use owf passwords
#define GCR_ALLOW_LM 0x1000 // allow the use of LM
#define GCR_ALLOW_NO_TARGET 0x2000 // allow no target server or target domain name
//
// version 1 of the GETCHALLENRESP structure, which was used by RAS and others.
// compiled before the additional fields added to GETCHALLENRESP_REQUEST.
// here to allow sizing operations for backwards compatibility.
//
typedef struct _MSV1_0_GETCHALLENRESP_REQUEST_V1 {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG ParameterControl;
LUID LogonId;
UNICODE_STRING Password;
UCHAR ChallengeToClient[MSV1_0_CHALLENGE_LENGTH];
} MSV1_0_GETCHALLENRESP_REQUEST_V1, *PMSV1_0_GETCHALLENRESP_REQUEST_V1;
typedef struct _MSV1_0_GETCHALLENRESP_REQUEST {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG ParameterControl;
LUID LogonId;
UNICODE_STRING Password;
UCHAR ChallengeToClient[MSV1_0_CHALLENGE_LENGTH];
//
// the following 3 fields are only present if GCR_NTLM3_PARMS is set in ParameterControl
//
UNICODE_STRING UserName;
UNICODE_STRING LogonDomainName;
UNICODE_STRING ServerName; // server domain or target info AV pairs
} MSV1_0_GETCHALLENRESP_REQUEST, *PMSV1_0_GETCHALLENRESP_REQUEST;
typedef struct _MSV1_0_GETCHALLENRESP_RESPONSE {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
STRING CaseSensitiveChallengeResponse;
STRING CaseInsensitiveChallengeResponse;
UNICODE_STRING UserName;
UNICODE_STRING LogonDomainName;
UCHAR UserSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
UCHAR LanmanSessionKey[MSV1_0_LANMAN_SESSION_KEY_LENGTH];
} MSV1_0_GETCHALLENRESP_RESPONSE, *PMSV1_0_GETCHALLENRESP_RESPONSE;
//
// MsV1_0EnumerateUsers submit buffer and response
//
typedef struct _MSV1_0_ENUMUSERS_REQUEST {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
} MSV1_0_ENUMUSERS_REQUEST, *PMSV1_0_ENUMUSERS_REQUEST;
typedef struct _MSV1_0_ENUMUSERS_RESPONSE {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG NumberOfLoggedOnUsers;
PLUID LogonIds;
PULONG EnumHandles;
} MSV1_0_ENUMUSERS_RESPONSE, *PMSV1_0_ENUMUSERS_RESPONSE;
//
// MsV1_0GetUserInfo submit buffer and response
//
typedef struct _MSV1_0_GETUSERINFO_REQUEST {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
LUID LogonId;
} MSV1_0_GETUSERINFO_REQUEST, *PMSV1_0_GETUSERINFO_REQUEST;
typedef struct _MSV1_0_GETUSERINFO_RESPONSE {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
PSID UserSid;
UNICODE_STRING UserName;
UNICODE_STRING LogonDomainName;
UNICODE_STRING LogonServer;
SECURITY_LOGON_TYPE LogonType;
} MSV1_0_GETUSERINFO_RESPONSE, *PMSV1_0_GETUSERINFO_RESPONSE;
// end_ntifs
//
// MsV1_0RelogonUsers submit buffer
//
typedef struct _MSV1_0_RELOGON_REQUEST {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
UNICODE_STRING LogonServer;
} MSV1_0_RELOGON_REQUEST, *PMSV1_0_RELOGON_REQUEST;
//
// MsV1_0ChangePassword and MsV1_0ChangeCachedPassword submit buffer
//
// MsV1_0ChangePassword changes the password on the SAM account plus
// the password cache and logon credentials if applicable.
//
// MsV1_0ChangeCachedPassword only changes the password cache and the logon
// credentials.
//
// begin_ntsecapi
typedef struct _MSV1_0_CHANGEPASSWORD_REQUEST {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
UNICODE_STRING DomainName;
UNICODE_STRING AccountName;
UNICODE_STRING OldPassword;
UNICODE_STRING NewPassword;
BOOLEAN Impersonating;
} MSV1_0_CHANGEPASSWORD_REQUEST, *PMSV1_0_CHANGEPASSWORD_REQUEST;
typedef struct _MSV1_0_CHANGEPASSWORD_RESPONSE {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
BOOLEAN PasswordInfoValid;
DOMAIN_PASSWORD_INFORMATION DomainPasswordInfo;
} MSV1_0_CHANGEPASSWORD_RESPONSE, *PMSV1_0_CHANGEPASSWORD_RESPONSE;
// end_ntsecapi
//
// MsV1_0GenericPassthrough - for remoting a CallPackage to
// a domain controller on the specified domain
//
typedef struct _MSV1_0_PASSTHROUGH_REQUEST {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
UNICODE_STRING DomainName;
UNICODE_STRING PackageName;
ULONG DataLength;
PUCHAR LogonData;
ULONG Pad ;
} MSV1_0_PASSTHROUGH_REQUEST, *PMSV1_0_PASSTHROUGH_REQUEST;
typedef struct _MSV1_0_PASSTHROUGH_RESPONSE {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG Pad;
ULONG DataLength;
PUCHAR ValidationData;
} MSV1_0_PASSTHROUGH_RESPONSE, *PMSV1_0_PASSTHROUGH_RESPONSE;
//
// MsV1_0CacheLogon submit buffer
//
// Values for RequestFlags
#define MSV1_0_CACHE_LOGON_REQUEST_MIT_LOGON 0x00000001
#define MSV1_0_CACHE_LOGON_REQUEST_INFO4 0x00000002
#define MSV1_0_CACHE_LOGON_DELETE_ENTRY 0x00000004
typedef struct _MSV1_0_CACHE_LOGON_REQUEST {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
PVOID LogonInformation;
PVOID ValidationInformation;
PVOID SupplementalCacheData;
ULONG SupplementalCacheDataLength;
ULONG RequestFlags;
} MSV1_0_CACHE_LOGON_REQUEST, *PMSV1_0_CACHE_LOGON_REQUEST;
//
// MsV1_0CacheLookup submit buffer
//
// values for CredentialType
#define MSV1_0_CACHE_LOOKUP_CREDTYPE_NONE 0
#define MSV1_0_CACHE_LOOKUP_CREDTYPE_RAW 1
#define MSV1_0_CACHE_LOOKUP_CREDTYPE_NTOWF 2
typedef struct _MSV1_0_CACHE_LOOKUP_REQUEST {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
UNICODE_STRING UserName;
UNICODE_STRING DomainName;
ULONG CredentialType;
ULONG CredentialInfoLength;
UCHAR CredentialSubmitBuffer[1]; // in-place array of length CredentialInfoLength
} MSV1_0_CACHE_LOOKUP_REQUEST, *PMSV1_0_CACHE_LOOKUP_REQUEST;
typedef struct _MSV1_0_CACHE_LOOKUP_RESPONSE {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
PVOID ValidationInformation;
PVOID SupplementalCacheData;
ULONG SupplementalCacheDataLength;
} MSV1_0_CACHE_LOOKUP_RESPONSE, *PMSV1_0_CACHE_LOOKUP_RESPONSE;
// begin_ntsecapi
//
// MsV1_0SubAuthInfo submit buffer and response - for submitting a buffer to a
// specified Subauthentication Package during an LsaCallAuthenticationPackage().
// If this Subauthentication is to be done locally, then package this message
// in LsaCallAuthenticationPackage(). If this SubAuthentication needs to be done
// on the domain controller, then call LsaCallauthenticationPackage with the
// message type being MsV1_0GenericPassThrough and the LogonData in this struct
// should be a PMSV1_0_SUBAUTH_REQUEST
//
typedef struct _MSV1_0_SUBAUTH_REQUEST{
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG SubAuthPackageId;
ULONG SubAuthInfoLength;
PUCHAR SubAuthSubmitBuffer;
} MSV1_0_SUBAUTH_REQUEST, *PMSV1_0_SUBAUTH_REQUEST;
typedef struct _MSV1_0_SUBAUTH_RESPONSE{
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG SubAuthInfoLength;
PUCHAR SubAuthReturnBuffer;
} MSV1_0_SUBAUTH_RESPONSE, *PMSV1_0_SUBAUTH_RESPONSE;
// end_ntsecapi
//
// Credential Derivation types for MsV1_0DeriveCredential Submit DeriveCredType
//
//
// Derive Credential using SHA-1 and Request buffer DeriveCredSubmitBuffer of
// length DeriveCredInfoLength mixing bytes.
// Response buffer DeriveCredReturnBuffer will contain SHA-1 hash of size
// A_SHA_DIGEST_LEN (20)
//
#define MSV1_0_DERIVECRED_TYPE_SHA1 0
#define MSV1_0_DERIVECRED_TYPE_SHA1_V2 1
//
// MsV1_0DeriveCredential submit buffer and response - for submitting a buffer
// an call to LsaCallAuthenticationPackage().
//
typedef struct _MSV1_0_DERIVECRED_REQUEST {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
LUID LogonId;
ULONG DeriveCredType;
ULONG DeriveCredInfoLength;
UCHAR DeriveCredSubmitBuffer[1]; // in-place array of length DeriveCredInfoLength
} MSV1_0_DERIVECRED_REQUEST, *PMSV1_0_DERIVECRED_REQUEST;
typedef struct _MSV1_0_DERIVECRED_RESPONSE {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG DeriveCredInfoLength;
UCHAR DeriveCredReturnBuffer[1]; // in-place array of length DeriveCredInfoLength
} MSV1_0_DERIVECRED_RESPONSE, *PMSV1_0_DERIVECRED_RESPONSE;
//
// MsV1_0SetProcessOption submit buffer - for submitting a buffer
// an call to LsaCallAuthenticationPackage().
//
#define MSV1_0_OPTION_ALLOW_BLANK_PASSWORD 0x1
#define MSV1_0_OPTION_DISABLE_ADMIN_LOCKOUT 0x2
#define MSV1_0_OPTION_DISABLE_FORCE_GUEST 0x4
#define MSV1_0_OPTION_TRY_CACHE_FIRST 0x10
typedef struct _MSV1_0_SETPROCESSOPTION_REQUEST {
MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG ProcessOptions;
BOOLEAN DisableOptions;
} MSV1_0_SETPROCESSOPTION_REQUEST, *PMSV1_0_SETPROCESSOPTION_REQUEST;
#ifdef __cplusplus
}
#endif
#endif //_NTMSV1_0_
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -