NT Security Alert: (was Re: NTDOM: SamLogon validation...)

Paul Ashton paul at argo.demon.co.uk
Tue Feb 3 08:45:16 GMT 1998


At 01:18 03/02/98 , Paul Ashton wrote:
>From a quick look at a packet trace, the original client that wishes
>to access a share does an SMB negotiate and receives an 8 byte challenge,
>it then does a session setup & X with a 24 byte challenge response. The
>The SMB server then forwards the challenge and the response to the PDC
>without encryption. The PDC confirms whether the response was valid and
>if so, returns the password hash to the SMB server (rc4 encrypted) so
>that the SMB server could then forward the hash to other servers on
>behalf of the client. 

This means that anybody passively listening to the LAN can turn
any NTLM challenge response sequence into a password equivalent!
Just forward the challenge and response of a sniffed packet to an
NT DC and it will send you the password equivalent.

The only thing you need is access to a workstation trust account
name and password. You will have this if you have administrative
access to your own machine or if you listen to a workstation
joining a domain for the first time.

I think Luke's smbclient mods can be coded to exploit this. Luke?

Paul



More information about the samba-ntdom mailing list