Regarding AUTH_CRAP and NTLMv2

Andrew Bartlett abartlet at samba.org
Mon Jan 17 04:41:31 MST 2011 

On Mon, 2011-01-17 at 17:02 +0530, Narendra Kumar S.S wrote:
> On Mon, Jan 17, 2011 at 4:51 PM, Andrew Bartlett <abartlet at samba.org>
> wrote:
>         On Mon, 2011-01-17 at 16:48 +0530, Narendra Kumar S.S wrote:
>         > Hi Andrew,
>         >
>         >
>         >     Thanks very much for the quick response.
>         >     So, that explains why the AUTH_CRAP with NTLMv2 response
>         is
>         > failing!
>         >
>         >
>         >     So, is there any way to overcome this?
>         
>         
>         The best way is to simply hold the full password database on
>         your MITM
>         device.  ie, run Samba4 and replicate in the passwords.
> I cannot get hold of the password database.
> So, this is ruled out. 

If you are not permitted the password DB, for what reason do you think
you should be able to get at any arbitrary session key?

>         It may be possible to bypass the restriction by being a
>         trusted domain,
>         rather than a member server.  I've not tried this however.
> Any idea on how to add it as a trusted domain 
>         
>         >     Or is it possible to change the computer name hidden in
>         the nt
>         > response?
>         
>         
>         No, the response includes this value in the checksum.
> If it is possible to change the computer name, I can recalculate the
> checksum and overwrite the original sum.

Sure, that's all quite possible, if you know the original password.
Remember, this is a secure challenge-response authentication system :-).
This aspect in particular is designed to make it harder to break into
this way. 

As you don't know the password (and don't have access to the password
db), then you can't do this. 

> So, is it possible to change the computer name at all? 

No.  That is why it is embedded in the HMAC checksum. 

>         >     Or will this work, if I have a delegated user?
>         
>         
>         I'm not sure what you mean exactly.
> In Windows 2003 server, an user can be made as a delegated user.
> But, since the computer name is involved and not the particular user,
> this change will not help.
> I quickly tried this and it failed.

Do you mean the 'trusted for delegation'?  If you were being an active,
visible proxy, then kerberos delegation would be a way to terminate the
connection you wish to decrypt, and then connect to the target.

But you have not really said what you want to do with the session key,
so I can only guess.

Andrew Bartlett


-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list