Todo list

Paul Ashton paul at
Mon Feb 9 16:34:45 GMT 1998

At 15:15 09/02/98 , Jean-Francois Micouleau wrote:
>On Tue, 10 Feb 1998, Paul Ashton wrote:
>> 3. Password changing. There seems to be dozens of ways to
>>    do this and the various mechanisms are documented in
>>    some of the cifs documents, microsoft ppp chap extensions,
>>    and other places. NetServerPasswordSet() should be an
>>    easy one that we haven't got around to yet. The nice
>>    one to have would be the CTRL-ALT-DEL password change
>>    one as that provides a plaintext password to the server
>>    in order that it can be quality checked. Decoding that

>Did you get a trace of this one already ? From what I understood on
>others lists the password is sent in form of encrypted challenge/response.
>Or I didn't understand at all which is also possible !

NTLM challenge response isn't really to do with password changing,
just authentication.

I've got dozens of traces of NetServerPasswordSet. I'm sure it's
just an encryption of the new OWF with the old one as a key. If you
look in the ms chap extensions document it lists loads of ways of
doing various forms of this. I originally though it was just
RC4(sk,newowf) but it wasn't. Just a bit of trial and error
needed (or disassemly (or nice mr. leach tells us...)).
At the moment we just reject the password change and leave as
"hostname" which also makes life easier.

The user password change seems to use an undocumented (i.e. undocumented
as far as ms netmon is concerned) \samr pipe rpc call. And the
whole of the rpc may be encrypted. Anyone familiar with DCE RPC
might be able to help here (or anyone willing to download and
print the specs).

The key to all this stuff is to use a checked build version
of netlogon.dll. You can either get this off a checked build
(i.e. debug version with additional assertions and symbols)
NT CD, in MSDN, or you can download a checked build service
pack from microsoft (big!).

Once you've done that,
net stop netlogon
copy netlogon.dll \winnt\system32 (maybe backup the old one)
set HKLM\CCS\services\netlogon\parameters\DBFLAG REG_SZ 0x1fffffff
net start netlogon

This will create a directory \winnt\debug and a file netlogon.log
That file will contain all the interesting netlogon activities,
session keys, and plaintext/ciphertext pairs. If you do it both
on your workstation and an NT PDC you will see both sides of
the protocol. If Samba is your PDC you will often see why
something isn't working such as invalid computed credentials.


More information about the samba-ntdom mailing list