NTDOM: SamLogon validation of one workstation to another via a PDC.

Paul Ashton paul at argo.demon.co.uk
Tue Feb 3 00:08:29 GMT 1998

At 20:10 01/02/98 , Luke Kenneth Casson Leighton wrote:
>the 8 byte challenge (LmChallenge) and 24 byte lm and nt responses
>(LmChallengeResponse and NtChallengeResponse) of the SMBnegprot and
>SMBsessionsetupX between the first and second NT workstations are sent to
>the PDC, in the DCE/RPC packet shown below.  presumably the challenge /
>responses are two-way obfuscated. 

No they aren't.

>the PDC decrypts the challenge and responses (presumably) and then does a
>standard SMB password validate, as if it had issued the SMBnegprot
>response, and received the SMBsessionsetupX query itself.
>does anyone know what obfuscation / encryption is used to encode the
>challenge and responses in the packet below?

None. From a quick look at a packet trace, the original client that wishes
to access a share does an SMB negotiate and receives an 8 byte challenge,
it then does a session setup & X with a 24 byte challenge response. The
The SMB server then forwards the challenge and the response to the PDC
without encryption. The PDC confirms whether the response was valid and
if so, returns the password hash to the SMB server (rc4 encrypted) so
that the SMB server could then forward the hash to other servers on
behalf of the client. 

Codeable Luke?


More information about the samba-ntdom mailing list