NTDOM: SamLogon validation of one workstation to another via a PDC.
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Sun Feb 1 20:46:28 GMT 1998
a piece of the puzzle of NT Domains is attached, which needs solving.
this packet is activated when a user of one NT workstation accesses a
second NT workstation, the second NT workstation being a member of a
domain. it is therefore a critically important part of the NT 3.5 / 4.0
Domain protocol, as it allows a user on one workstation to access files on
another workstation, securely.
the 8 byte challenge (LmChallenge) and 24 byte lm and nt responses
(LmChallengeResponse and NtChallengeResponse) of the SMBnegprot and
SMBsessionsetupX between the first and second NT workstations are sent to
the PDC, in the DCE/RPC packet shown below. presumably the challenge /
responses are two-way obfuscated.
the PDC decrypts the challenge and responses (presumably) and then does a
standard SMB password validate, as if it had issued the SMBnegprot
response, and received the SMBsessionsetupX query itself.
does anyone know what obfuscation / encryption is used to encode the
challenge and responses in the packet below?
luke (samba team)
<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
Network Monitor trace Sun 02/01/98 17:54:51 \\regent\root\info\sam_challenge.txt
************************************************************************************************************************************************************
Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr
32 8.914 KNIGHT REGENT R_LOGON RPC Client call logon:NetrLogonSamLogon(..) KNIGHT REGENT IP
+ FRAME: Base frame properties
+ ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
+ IP: ID = 0x9205; Proto = TCP; Len: 458
+ TCP: .AP..., len: 418, seq: 1442186-1442603, ack:2491898253, win: 8313, src: 1032 dst: 139 (NBT Session)
+ NBT: SS: Session Message, Len: 414
+ SMB: C transact TransactNmPipe, FID = 0x801
+ MSRPC: c/o RPC Request: call 0x6 opnum 0x2 context 0x0 hint 0x13A
R_LOGON: RPC Client call logon:NetrLogonSamLogon(..)
R_LOGON: LOGONSRV_HANDLE LogonServer = \\REGENT
R_LOGON: wchar_t ComputerName = KNIGHT
R_LOGON: PNETLOGON_AUTHENTICATOR Authenticator {..}
R_LOGON: NETLOGON_CREDENTIAL Credential {..}
R_LOGON: CHAR data [..] = 89 97 14 C1 23 C6 7B BB
R_LOGON: DWORD timestamp = 886355494 (0x34D4B626)
R_LOGON: PNETLOGON_AUTHENTICATOR ReturnAuthenticator {..}
R_LOGON: NETLOGON_CREDENTIAL Credential {..}
R_LOGON: CHAR data [..] = B9 6E F6 77 00 00 14 00
R_LOGON: DWORD timestamp = 0 (0x0)
R_LOGON: NETLOGON_LOGON_INFO_CLASS LogonLevel = 2 (0x2)
R_LOGON: PNETLOGON_LEVEL LogonInformation {..}
R_LOGON: Switch Value = 2 (0x2)
R_LOGON: PNETLOGON_NETWORK_INFO LogonNetwork {..}
R_LOGON: NETLOGON_LOGON_IDENTITY_INFO Identity {..}
R_LOGON: UNICODE_STRING LogonDomainName {..}
R_LOGON: USHORT Length = 10 (0xA)
R_LOGON: USHORT MaximumLength = 10 (0xA)
R_LOGON: USHORT * Buffer = 1388208 (0x152EB0)
R_LOGON: ULONG ParameterControl = 2 (0x2)
R_LOGON: OLD_LARGE_INTEGER LogonId {..}
R_LOGON: ULONG LowPart = 35800 (0x8BD8)
R_LOGON: LONG HighPart = 0 (0x0)
R_LOGON: UNICODE_STRING UserName {..}
R_LOGON: USHORT Length = 8 (0x8)
R_LOGON: USHORT MaximumLength = 8 (0x8)
R_LOGON: USHORT * Buffer = 1388218 (0x152EBA)
R_LOGON: UNICODE_STRING Workstation {..}
R_LOGON: USHORT Length = 16 (0x10)
R_LOGON: USHORT MaximumLength = 16 (0x10)
R_LOGON: USHORT * Buffer = 1388226 (0x152EC2)
R_LOGON: LM_CHALLENGE LmChallenge {..}
R_LOGON: CHAR data [..] = FB DA 8B 7F 9B 0B C1 9E
R_LOGON: STRING NtChallengeResponse {..}
R_LOGON: USHORT Length = 24 (0x18)
R_LOGON: USHORT MaximumLength = 24 (0x18)
R_LOGON: PCHAR Buffer = 1388242 (0x152ED2)
R_LOGON: STRING LmChallengeResponse {..}
R_LOGON: USHORT Length = 24 (0x18)
R_LOGON: USHORT MaximumLength = 24 (0x18)
R_LOGON: PCHAR Buffer = 1388266 (0x152EEA)
R_LOGON: USHORT * Buffer [..] = 0054 0045 0053 0054 0033
R_LOGON: USHORT * Buffer [..] = 006C 006B 0063 006C
R_LOGON: USHORT * Buffer [..] = 005C 005C 0052 0045 0047 0045 004E 0054
R_LOGON: PCHAR Buffer [..] = 42 4C FF D2 71 BB 8F 24 4B 9F 86 8B A7 A3 DA D3 96 14 88 45 7E BB B5 28
R_LOGON: PCHAR Buffer [..] = 5D F4 44 C6 A2 CC DE 7E 22 5F C2 F6 B4 C6 3B 2D C1 CF B0 29 F5 D4 92 2E
R_LOGON: NETLOGON_VALIDATION_INFO_CLASS ValidationLevel = 3 (0x3)
00000: 00 C0 5C 03 12 1E 00 80 C8 81 8F 9D 08 00 45 00 ..\...........E.
00010: 01 CA 92 05 40 00 80 06 B1 B7 C2 9F 18 18 C2 9F .... at ...........
00020: 18 1A 04 08 00 8B 00 16 01 8A 94 87 59 8D 50 18 ............Y.P.
00030: 20 79 B5 F8 00 00 00 00 01 9E FF 53 4D 42 25 00 y.........SMB%.
00040: 00 00 00 18 03 00 00 00 00 00 00 00 00 00 00 00 ................
00090: B8 CE ..
000A0: 14 00 09 00 00 00 00 00 00 00 09 00 00 00 5C 00 ..............\.
000B0: 5C 00 52 00 45 00 47 00 45 00 4E 00 54 00
00 00 \.R.E.G.E.N.T...
000C0: C9 11 B4 3C 95 75
07 00 00 00 00 00 00 00 07 00 ...<.u..........
000D0: 00 00 4B 00 4E 00 49 00 47 00 48 00 54 00 00 00 ..K.N.I.G.H.T...
000E0: 00 00
F8 F9 49 01
89 97 14 C1 23 C6 7B BB
26 B6 ....I.....#.{.&.
000F0: D4 34
04 FA 49 01
B9 6E F6 77 00 00 14 00
00 00 .4..I..n.w......
00100: 00 00
02 00
02 00 28 FD 49 01
0A 00 0A 00 B0 2E ......(.I.......
00110: 15 00
02 00 00 00
D8 8B 00 00 00 00 00 00
08 00 ................
00120: 08 00 BA 2E 15 00
10 00 10 00 C2 2E 15 00
FB DA ................
00130: 8B 7F 9B 0B C1 9E
18 00 18 00 D2 2E 15 00
18 00 ...............
00140: 18 00 EA 2E 15 00
05 00 00 00 00 00 00 00 05 00 ................
00150: 00 00 54 00 45 00 53 00 54 00 33 00 45 00
04 00 ..T.E.S.T.3.E...
00160: 00 00 00 00 00 00 04 00 00 00 6C 00 6B 00 63 00 ..........l.k.c.
00170: 6C 00
08 00 00 00 00 00 00 00 08 00 00 00 5C 00 l.............\.
00180: 5C 00 52 00 45 00 47 00 45 00 4E 00 54 00
18 00 \.R.E.G.E.N.T...
00190: 00 00 00 00 00 00 18 00 00 00 42 4C FF D2 71 BB ..........BL..q.
001A0: 8F 24 4B 9F 86 8B A7 A3 DA D3 96 14 88 45 7E BB .$K..........E~.
001B0: B5 28
18 00 00 00 00 00 00 00 18 00 00 00 5D F4 .(............].
001C0: 44 C6 A2 CC DE 7E 22 5F C2 F6 B4 C6 3B 2D C1 CF D....~"_....;-..
001D0: B0 29 F5 D4 92 2E
03 00 .)......
More information about the samba-ntdom
mailing list