Partilhar via


2.2.1.5.15 NLPR_USER_PRIVATE_INFO

The NLPR_USER_PRIVATE_INFO structure defines a data buffer that is optionally encrypted with the session key, as detailed in this section. The structure is used to carry user account passwords as follows.

 typedef struct _NLPR_USER_PRIVATE_INFO {
   UCHAR SensitiveData;
   ULONG DataLength;
   [size_is(DataLength)] UCHAR * Data;
 } NLPR_USER_PRIVATE_INFO,
  *PNLPR_USER_PRIVATE_INFO;

SensitiveData: Is either TRUE (0x01) or FALSE (0x00). The SensitiveData field indicates whether the data is encrypted as follows. If this field is set to 0x00, then the data is not encrypted. If the field is set to 0x01, the data pointed to by the Data field is encrypted with the session key used on the secure channel between the client and the server exchanging this data structure to the client. The encryption algorithm is RC4 if the flag C is set in the negotiated flags between the client and the server, as specified in section 3.1.4.2; otherwise the encryption algorithm is DES.

DataLength: The size, in bytes, of the Data field.

Data: A pointer to a buffer with a size of DataLength. If the SensitiveData field is set to TRUE, this data is encrypted as defined in the SensitiveData field. The buffer content prior to encryption (if any) is shown in the following table.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

DataType

LmLength

LmMaximumLength

Unused1

LmHash[0..3]

LmHash[4..7]

LmHash[8..11]

LmHash[12..15]

NtLength

NtMaximumLength

Unused2

NtHash[0..3]

NtHash[4..7]

NtHash[8..11]

NtHash[12..15]

LmHistoryLength

LmHistoryMaximumLength

Unused3

NtHistoryLength

NtHistoryMaximumLength

Unused4

NtHistoryArray (variable)

...

LmHistoryArray (variable)

...

DataType: An unsigned integer. This value MUST be 0x00000002.

LmLength: An unsigned (short) integer. This value MUST be either 0x0010 or 0x0000. If 0x0010, the LmHash field contains the LM hash of the user password (specified in [MS-NLMP]). If 0x0000, the value of the LmHash field is undefined and MUST be ignored upon receipt.

LmMaximumLength: This value MUST be the same value as LmLength.

Unused1: This value MUST be zero and ignored on receipt.

LmHash: The encrypted ([MS-SAMR] section 2.2.11.1) LM OWF ([MS-NLMP] section 3.3) of the user password. The 16-byte encryption key is created by concatenating four times the relative ID (from the given user's SID).

NtLength: An unsigned (short) integer. This value MUST be either 0x0010 or 0x0000. If 0x0010, the NtHash field contains the NT hash of the user password (specified in [MS-NLMP]). If 0x0000, the value of the NtHash field is undefined and MUST be ignored upon receipt.

NtMaximumLength: This value MUST be the same value as NtLength.

Unused2: This value MUST be zero and ignored on receipt.

NtHash: The encrypted ([MS-SAMR] section 2.2.11.1) NT OWF ([MS-NLMP] section 3.3) of the user password. The 16-byte encryption key is created by concatenating four times the relative ID (from the given user's SID).

LmHistoryLength: An unsigned (short) integer. This value is the length, in bytes, of the LmHistoryArray field.

LmHistoryMaximumLength: This value MUST be the same value as LmHistoryLength.

Unused3: This value MUST be zero and ignored on receipt.

NtHistoryLength: An unsigned (short) integer. This value is the length, in bytes, of the NtHistoryArray field.

NtHistoryMaximumLength: This value MUST be the same value as NtHistoryLength.

Unused4: This value MUST be zero and ignored on receipt.

NtHistoryArray: An array of NT hash values of user passwords for the given user. The array is ordered so that the first element is the hash of the current password and the last element is the hash of the oldest password.

Note  The number of elements in the array is the value of the NtHistoryLength field divided by 0x0010.

LmHistoryArray: An array of LM hash values of user passwords for the given user. The array is ordered so that the first element is the hash of the current password and the last element is the hash of the oldest password.

Note  The number of elements in the array is the value of the LmHistoryLength field divided by 0x0010.