NTDOM: SamLogon validation of one workstation to another via a PDC.

Luke Kenneth Casson Leighton lkcl at switchboard.net
Tue Feb 3 16:13:25 GMT 1998


On Tue, 3 Feb 1998, Paul Ashton wrote:

> At 20:10 01/02/98 , Luke Kenneth Casson Leighton wrote:
> >the 8 byte challenge (LmChallenge) and 24 byte lm and nt responses
> >(LmChallengeResponse and NtChallengeResponse) of the SMBnegprot and
> >SMBsessionsetupX between the first and second NT workstations are sent to
> >the PDC, in the DCE/RPC packet shown below.  presumably the challenge /
> >responses are two-way obfuscated. 
> 
> No they aren't.

whoops.
 
> >the PDC decrypts the challenge and responses (presumably) and then does a
> >standard SMB password validate, as if it had issued the SMBnegprot
> >response, and received the SMBsessionsetupX query itself.
> >
> >does anyone know what obfuscation / encryption is used to encode the
> >challenge and responses in the packet below?
> 
> None. From a quick look at a packet trace, the original client that wishes
> to access a share does an SMB negotiate and receives an 8 byte challenge,
> it then does a session setup & X with a 24 byte challenge response. The
> The SMB server then forwards the challenge and the response to the PDC
> without encryption. The PDC confirms whether the response was valid and
> if so, returns the password hash to the SMB server (rc4 encrypted) so
> that the SMB server could then forward the hash to other servers on
> behalf of the client. 
> 
> Codeable Luke?

easy.  i'm half way there, taking things slowly.  i'll probably have a
check-in in a couple of days.

luke



More information about the samba-ntdom mailing list