questions about cifsntdomain.txt
pcc at llnl.gov
Mon Aug 31 02:57:16 GMT 1998
In the cifsntdomain.txt portion of the samaba docs, there is a description
of the SAM logon information. I have a couple of questions.
Here is the first structure in question:
- ID_INFO_1 (id info structure, auth level 1) :
UNIHDR domain name unicode header
UINT32 param control
UINT64 logon ID
UNIHDR user name unicode header
UNIHDR workgroup name unicode header
char arc4 LM OWF Password
char arc4 NT OWF Password
UNISTR2 domain name unicode string
UNISTR2 user name unicode string
UNISTR2 workstation name unicode string
Now the question:
1. Are the OWF only "encrypted" with arc4? Or is there actually a stronger
encryption before the arc4'ing them?
What I am trying to find out, is whether it is just as easy to capture and
crack the domain logon (dce/rpc) based packets, as it is the SMB/CIFS
challenge-response authentication packets?
The Next structure is the
- CLNT_INFO2 (server, client structure, client credentials) :
CLNT_SRV client and server names
UINT8 ???? padding, for 4-byte alignment with SMB header.
VOID* pointer to client credentials.
CREDS client-calculated credentials + client time
Where do I findout how the client calculated the credential?
Your input is much appreciated.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Computer Incident Advisory Capability (CIAC) Philip C. Cox
ciac at llnl.gov pcc at llnl.gov
PGP fingerprint = 1A97 AB44 406A 77B7 3EA8 3B5B E3B5 BE73
Noteable Quote = "Do today what you want to be tomorrow."
More information about the samba-ntdom