[Samba] NTLMv2 with win2003 AD question

Andrew Bartlett abartlet at samba.org
Thu Feb 14 21:23:03 MST 2013 

On Wed, 2013-02-06 at 12:20 +0800, 安静的风 wrote:
> Hi
> 
> 
> Thanks in advance.
> I know my question below is not really related with samba but I'm really confused, and you guys are expert on windows authentication, 
> I really hope you have patience to read this and I'll appreciate any of your help.
> 
> 
> I learned a lot from this post http://lists.samba.org/archive/jcifs/2008-October/008227.html.
> I know that a "man in the middle" technique, like 'JCIFS NTLM HTTP Authentication Filter', will not work when using NTLMv2 and the only technique is using NetLogon. Am I right?
> Besides, a 'TargetInfo' field is necessary to calculate NTLMv2 response.
> 
> 
> However, I'm reading a proxy code these days and did some test on it.
> It uses the MITM technique, that is so say, proxy returns the challenge of SMB server(win2003 AD) to browser. just like what 'JCIFS NTLM HTTP Authentication Filter' does.
> Proxy uses 'SMB_COM_NEGOTIATE' and 'SMB_COM_SESSION_SETUP_ANDX' command to communicate with windows AD.
> 
> 
> The topology is like this:
> 
> 
> browser-------------------proxy-------------------------win2003 AD
> 
> 
> NTLMv1 works fine and make sense indeed.
> 
> 
> But I find that NTLMv2 works when using win2k3 AD, unexpectedly. This doesn't make sense.
> using wireshark, I found that in 'Negoticate Flags', 'Negoticate Targe Info' field is not set.
> and NTLMv2 response is like this:
> 
> 
> NTLMv2 Response: D99AF0F6AE2B97.....
>     HMAC: D99AF0F6AE2B97...
>     Header: 0x00000101
>     Reserved: 0x00000000
>     Time: Feb 3, 2013 15:26:32.562500000
>     Unknown: 0x00000000
>     Name: NetBIOS domain name
>         Name type: NetBIOS domain name(2)
>         Name Len: 0
>         Name:
>     Name: End of list
> 
> 
> 
> 
> The target info field just has one item with empty value...
> 
> 
> This is really confused me. 
> Is it a bug of win2k3 AD and make use of the bug??
> 
> 
> When I'm using win2k8 AD, NTLMv2 doesn't work. Win2k8 AD returns an 'Invalid Parameter' message in 'SMB_COM_SESSION_SETUP_ANDX' response messge.
> 
> 
> BTY, the OS is win2k3 R2 Enterprise SP2 and win2k8 R2 Enterprise SP1.

This looks like a reasonable analysis.  If the client does not check the
target information then the protections of NTLMv2 are indeed very
limited.  The same applies to the server. 

Samba currently matches Windows 2003 in this regard, and yes, with the
new information we have in the AD DC (servicePrincipalName values), we
should be able to enforce this properly.  I would love a patch to do
this in a way that matches windows behaviour, both for the client and
server. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list