questions about cifsntdomain.txt
Phil Cox
pcc at llnl.gov
Mon Aug 31 02:57:16 GMT 1998
In the cifsntdomain.txt portion of the samaba docs, there is a description
of the SAM logon information. I have a couple of questions.
Here is the first structure in question:
- ID_INFO_1 (id info structure, auth level 1) :
VOID* ptr_id_info_1
UNIHDR domain name unicode header
UINT32 param control
UINT64 logon ID
UNIHDR user name unicode header
UNIHDR workgroup name unicode header
char[16] arc4 LM OWF Password
char[16] arc4 NT OWF Password
UNISTR2 domain name unicode string
UNISTR2 user name unicode string
UNISTR2 workstation name unicode string
Now the question:
1. Are the OWF only "encrypted" with arc4? Or is there actually a stronger
encryption before the arc4'ing them?
What I am trying to find out, is whether it is just as easy to capture and
crack the domain logon (dce/rpc) based packets, as it is the SMB/CIFS
challenge-response authentication packets?
The Next structure is the
- CLNT_INFO2 (server, client structure, client credentials) :
CLNT_SRV client and server names
UINT8[] ???? padding, for 4-byte alignment with SMB header.
VOID* pointer to client credentials.
CREDS client-calculated credentials + client time
Question:
Where do I findout how the client calculated the credential?
Your input is much appreciated.
Phil Cox
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Computer Incident Advisory Capability (CIAC) Philip C. Cox
(510)422-8193 (510)422-8564
ciac at llnl.gov pcc at llnl.gov
-------------------------------------------------------------------
PGP fingerprint = 1A97 AB44 406A 77B7 3EA8 3B5B E3B5 BE73
Noteable Quote = "Do today what you want to be tomorrow."
More information about the samba-ntdom
mailing list