NT Security Alert: (was Re: NTDOM: SamLogon validation...)
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Tue Feb 3 16:37:53 GMT 1998
On Tue, 3 Feb 1998, Paul Ashton wrote:
> At 01:18 03/02/98 , Paul Ashton wrote:
> >From a quick look at a packet trace, the original client that wishes
> >to access a share does an SMB negotiate and receives an 8 byte challenge,
> >it then does a session setup & X with a 24 byte challenge response. The
> >The SMB server then forwards the challenge and the response to the PDC
> >without encryption. The PDC confirms whether the response was valid and
> >if so, returns the password hash to the SMB server (rc4 encrypted) so
> >that the SMB server could then forward the hash to other servers on
> >behalf of the client.
>
> This means that anybody passively listening to the LAN can turn
> any NTLM challenge response sequence into a password equivalent!
> Just forward the challenge and response of a sniffed packet to an
> NT DC and it will send you the password equivalent.
>
> The only thing you need is access to a workstation trust account
> name and password. You will have this if you have administrative
> access to your own machine or if you listen to a workstation
> joining a domain for the first time.
> I think Luke's smbclient mods can be coded to exploit this. Luke?
yes, it could. oh dear. i'll implement "Network" Logons, first. then
the code will be there. two days, ok?
luke
More information about the samba-ntdom
mailing list