NT LM SSPI and DCE/RPC
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Sat Feb 14 18:52:27 GMT 1998
notes. paul started looking at the "password change" function. press
ctrl-alt-delete when logged in, select passwords button, change password.
this causes encrypted dce/rpc to be negotiated for \PIPE\samr, over which
two apis are sent: 0x37 and 0x38. the encryption used is "NT LM SSPI".
however, paul has been using NT 3.51 talking to NT 4.0. there appears to
be some interaction there that causes the dce/rpc "encrypted" \PIPE\samr
to be dropped, and to go for unencrypted \PIPE\samr.
see RPC_AUTH_NTLMSSP_REQ and _RESP in lib/rpc/include/rpc_dce.h. paul
unknown_3 in the _RESP structure as 0x82b1, and the unknown_0 in the _REQ
structure as 0xb3b6. if this happens, then the pipe is closed, and
re-opened without encryption.
further experimentation is needed, but a guest as to what is happening is
that the response being returned indicates "i support version X of the
NTLM SSP". the client doesn't support that version, so closes the
connection, and re-opens with unencrypted RPC.
... which brings us on to the 0x37 and 0x38 pipes, in the clear. more on
More information about the samba-ntdom