[jcifs] Question about NT Domains
Michael B. Allen
miallen at eskimo.com
Wed Jun 12 17:10:17 EST 2002
On Wed, 12 Jun 2002 00:25:38 -0500
"Steven French" <sfrench at us.ibm.com> wrote:
> There are four set password calls for SMB/CIFS (not counting the Kerberos
> change password):
> NetUserPasswordSet (plain text) which is RAP ordinal 58
> NetUserPasswordSet2 (one way lanman hash of password) 115
> NetUserPasswordSet3 (reversibly encrypted ie secure decryptable change
> password) done by IBM 275
> SAM_OEMChangePassword (same idea as above but done a few years later by
> Microsoft) 214
>
> See
> http://cvs.samba.org/cgi-bin/cvsweb/samba/source/include/rap.h?rev=1.4.2.1&content-type=text/x-cvsweb-markup
>
> for a fairly complete list based on Microsoft's postings and documentation
> (as well as IBM documentation on the IBM specific ones). Jim and I added
> this when we added the "net" utility to Samba last year and with it a lot
> of RAP support. There once was NetUserPassswordSet2 support in Samba
> don't know if it is still there. It may have been in the old PAM_SMB as
> well.
>
> Although the current Microsoft clients preferentially send
> SAM_OEMChangePassword, they (and many others too) will send
> NetUserPasswordSet2 if the server doesn't support SAM_OEM and then some
> will even fall back to the ancient plain text NetUserPasswordSet RAP call
So it sounds like we just have to find a Win98 machine that authenticates
against an NT 4 domain and capture the password change from there. This is
great info Steve.
Thanks,
Mike
>
>
>
> Steve French
> Senior Software Engineer
> Linux Technology Center - IBM Austin
> phone: 512-838-2294
> email: sfrench at us.ibm.com
>
>
> "Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com> on 06/11/2002 10:16:22
> PM
>
> To: "'Tony Thompson'" <tony.thompson at stone-ware.com>,
> "'jcifs at samba.org'" <jcifs at samba.org>, Steven
> French/Austin/IBM at IBMUS
> cc:
> Subject: RE: [jcifs] Question about NT Domains
>
>
>
>
>
> > -----Original Message-----
> > From: Tony Thompson [SMTP:tony.thompson at stone-ware.com]
> > Sent: Tuesday, June 11, 2002 10:51 PM
> > To: Michael_B_Allen at ml.com
> > Subject: RE: [jcifs] Question about NT Domains
> >
> > OK, here is a trace from a Win98 machine. It still looks different. If
> you look at packet #13,
> > I am guessing that is where the password is set but, it looks completely
> different from what
> > I would expect. According to the document you clued me in on, the
> parameter descriptor
> > string should be "zsT". The descriptor in that packet is "zb16b16WW" (I
> think). I couldn't
> > even find that in the cifsrap2.doc.
> >
> Opps, that appears to be a another RAP call for changing your password. I
> have not heard of
> SetUserPassword (115). There are hundreds of RAP calls. I seem to be at a
> loss as to how
> to capture a SamOEMChangePassword call. I suppose an early version of
> smbclient might
> do it. You could probably get Win98 to do it too you just need to provoke
> it in the right way.
> Does anyone have an Ethereal pcap of SamOEMChangePassword or know exactly
> how Tony
> can get one?
>
> > I am not sending the wrong password so, I must be building the request
> incorrectly.
> >
> You really need a pcap. You'll never get it right without one. At least I
> never could.
>
> Otherwise, your code looks really close,
> Mike
>
> > I am attaching my source code as well. I don't know if you can see
> anything obviously wrong with that.
> >
> > Thanks for your help.
> > Tony
> >
> > >>> "Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com> 06/11/02 08:56PM
> >>>
> > Your password changing utility is using DCE/RPC which is why it looks
> nothing like your other trace. The
> > jcifs trace looks like a strait forward wrong password to me. Try
> capturing a Win98 machine. It' can't do
> > DCE/RPC.
> >
> > Mike
> >
> > > -----Original Message-----
> > > From: Tony Thompson [SMTP:tony.thompson at stone-ware.com]
> > > Sent: Tuesday, June 11, 2002 9:43 PM
> > > To: Michael_B_Allen at ml.com
> > > Subject: RE: [jcifs] Question about NT Domains
> > >
> > > I grabbed the BouncyCastle code. There is an RC4 engine in there that
> I can use.
> > >
> > > I am having an issue with trying to get this thing working. Here is
> the exception that I am getting:
> > >
> > > jcifs.smb.SmbException: Invalid operation for IPC service
> > > at jcifs.smb.SmbTree.send(SmbTree.java:86)
> > > at jcifs.smb.SmbFile.send(SmbFile.java:499)
> > > at jcifs.smb.SmbFile.changePassword(SmbFile.java:1420)
> > > at Test.main(Test.java:137)
> > >
> > > Attached are two Sniffer trace files.
> > >
> > > passwd.cap - is a trace of a command line utility that I grabbed off
> the net to change my password (it works).
> > >
> > > jcifs_pass.cap - is a trace of the code I added to jCIFS.
> > >
> > > Can you point me to something specific in the trace (i.e. a packet #,
> etc.) that I can use to compare the two traces to try and figure out what I
> am doing wrong? I haven't really dug into this
> > > stuff at the wire level before so I am not quite sure what I am looking
> for just yet.
> > >
> > > Thanks.
> > > Tony
> > >
> > > >>> "Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com> 06/10/02 07:52PM
> >>>
> > > RC4 is a very simple algorithm. A very simple search on google turned
> up numerous RC4.java classes.
> > >
> > > > -----Original Message-----
> > > > From: Tony Thompson [SMTP:tony.thompson at stone-ware.com]
> > > > Sent: Monday, June 10, 2002 8:07 PM
> > > > To: miallen at eskimo.com
> > > > Cc: jcifs at samba.org
> > > > Subject: Re: [jcifs] Question about NT Domains
> > > >
> > > > It looks like the E() is what I need to do the one way transformation
> (partially). If the old password is longer than 8 bytes, I have to
> concatenate several results from E().
> > > >
> > > > But, I still need to do RC4 encryption on the two passwords. I don't
> think that RC4 encryption is part of the JCE or, even if it was, that you
> would want jCIFS dependent on the JCE. What do
> > the
> > > > Samba "guys" do? Is there anything that we can use to do this?
> > > >
> > > > >>> "Michael B. Allen" <miallen at eskimo.com> 06/07/02 08:10PM >>>
> > > > On Fri, 07 Jun 2002 15:12:30 -0500
> > > > "Tony Thompson" <tony.thompson at stone-ware.com> wrote:
> > > >
> > > > > I decided to try and tackle this but, I am having a couple of
> issues. According to the cifsrap2.doc, an RC4 encryption must be performed
> on the old password before it is sent. I didn't see
> > > > anything hanging around in jCIFS that would do this. Any
> suggestions?
> > > > >
> > > > > A one way transformation must also be performed on the old
> password. The document describes the gyrations required to do this but,
> one of the elements of the transformation is "an 8 byte
> > string
> > > > whose value is available from Microsoft upon request". Any idea what
> this string might be or how to get it?
> > > > >
> > > > > Is there something already in jCIFS that would do all of the above
> for me (i.e. is this same type of thing used anywhere else)? I know it is
> a long shot but, I had to ask.
> > > >
> > > > Look at the top of jcifs/smb/SmbSession.java. You can in all
> likelyhood
> > > > just use the E() method. It's probably very similar but i
> don't know
> > > > really. It will take some fiddling and reasoning. You don't really
> need to
> > > > know much about encryption to do it but you might want to get a
> capture and
> > > > copy out the encrypted value of a known password so you can
> test your
> > > > encryption method.
> > > >
> > > > Mike
> > > >
> > > > --
> > > > http://www.eskimo.com/~miallen/c/jus.c
> > > >
> > > >
> > > >
> > >
> > > << File: passwd.cap >> << File: jcifs_pass.cap >>
> > << File: 98_pass.cap >> << File: SamOemChangePasswordResponse.java >>
> << File: SamOemChangePassword.java >>
>
>
>
>
--
http://www.eskimo.com/~miallen/c/jus.c
More information about the jcifs
mailing list