[jcifs] MS-CHAP and MS-CHAP-V2 possible?

Mike Bean bean at alcatel-lucent.com
Wed Feb 28 18:52:06 GMT 2007


That was what I was afraid of.  I have read through LKCL's book but I 
must admit I no Samba or MSRPC expert.  Looks like you were trying to do 
same thing with Jarapac project.


Michael B Allen wrote:
> On Mon, 26 Feb 2007 16:57:09 -0800
> Mike Bean <bean at alcatel-lucent.com> wrote:
>> I have some JNI code to perform LsaLogonUser calls on Windows to 
>> validate MS-CHAP and MS-CHAP-V2 responses.  It looks like you should be 
>> able to do the same with JCIFS but it appears that challenges must be 
>> chosen by DC.  Unfortunately I need to specify a challenge rather than 
>> get one from DC.  Is there any way to create a 
>> NtlmPasswordAuthentication object with external hashes and challenge and 
>> perform a logon to validate hashes?
> Nope.
>>  Can I get the user password hashed 
>> twice to use in generating MPPE keys, I believe this is the user session 
>> key?
> You could do the NetrSamLogon RPC (that's what LsaLogonUser does). You
> supply the challenge and the password hashes and get back the session key
> (I assume the session key must be sufficent to do MPPE).
> I don't think we have any netlogon.idl at the momement but between Samba
> SVN, MSDN and Wireshark you should be able to fill in enough of it to
> produce a JCIFS MSRPC stub with our midlc compiler.
> Another way to do it might be to use digest authentication. I don't
> know the details but the Heimdal guys just implemented the functional
> equivalent of NetrSamLogon to authenticate NTLM clients. It also gives
> you the session key.
> Mike

More information about the jcifs mailing list