NTDOM: SamLogon validation of one workstation to another via a PDC.
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Tue Feb 3 16:13:25 GMT 1998
On Tue, 3 Feb 1998, Paul Ashton wrote:
> At 20:10 01/02/98 , Luke Kenneth Casson Leighton wrote:
> >the 8 byte challenge (LmChallenge) and 24 byte lm and nt responses
> >(LmChallengeResponse and NtChallengeResponse) of the SMBnegprot and
> >SMBsessionsetupX between the first and second NT workstations are sent to
> >the PDC, in the DCE/RPC packet shown below. presumably the challenge /
> >responses are two-way obfuscated.
>
> No they aren't.
whoops.
> >the PDC decrypts the challenge and responses (presumably) and then does a
> >standard SMB password validate, as if it had issued the SMBnegprot
> >response, and received the SMBsessionsetupX query itself.
> >
> >does anyone know what obfuscation / encryption is used to encode the
> >challenge and responses in the packet below?
>
> None. From a quick look at a packet trace, the original client that wishes
> to access a share does an SMB negotiate and receives an 8 byte challenge,
> it then does a session setup & X with a 24 byte challenge response. The
> The SMB server then forwards the challenge and the response to the PDC
> without encryption. The PDC confirms whether the response was valid and
> if so, returns the password hash to the SMB server (rc4 encrypted) so
> that the SMB server could then forward the hash to other servers on
> behalf of the client.
>
> Codeable Luke?
easy. i'm half way there, taking things slowly. i'll probably have a
check-in in a couple of days.
luke
More information about the samba-ntdom
mailing list