encrypted DCE/RPC - progress.
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Wed Feb 18 11:44:49 GMT 1998
On Wed, 18 Feb 1998, Luke Kenneth Casson Leighton wrote:
> On Wed, 18 Feb 1998, Luke Kenneth Casson Leighton wrote:
>
> > paul ashton is exploring the nt lm ssp interface, and the password
> > changing (samr commands 0x38 and 0x37). i've added dce/rpc parsing
> > support for the "authentication verification" (to be tested shortly :-) in
> > the bind / bind ack, but not the encryption of the "stub data".
>
> just noticed that this is a 16 byte key from the server, 8 bytes of which
> are zero. there's nothing from the client in the bind request.
that's because it sends an SMBwriteX, which i will have to implement.
this will provide the NTLM 8-byte challenge / 24-byte responses system.
it's really really wierd that this _can_ also done in the SMBnegprot /
SMBsessionsetupX to establish the connection over which DCE/RPC is sent,
but this is totally independent of that.
> client-> rpc bind req (negotiate nt lm ssp)
> server-> rpc bind resp (confirm nt lm ssp, send 16 byte stuff)
client -> SMBwriteX (user, domain, wksta + 24 byte lm and nt responses)
server -> SMBwriteX response (just an acknowledgement).
> client-> rpc request - stub data plus 16 byte "authenticator".
> server-> rpc response - stub data plus 16 byte "authenticator".
More information about the samba-ntdom
mailing list