encrypted DCE/RPC - progress.

Paul Ashton paul at argo.demon.co.uk
Tue Feb 17 16:10:28 GMT 1998

At 15:06 17/02/98 , Luke Kenneth Casson Leighton wrote:
>we don't know what the nt lm ssp encryption is: the default appears to be
>rc4, but we don't know what the key is.  8 bytes come from the client, 8
>from the server, and there should be some fancy function to create a key
>for the rc4 decryption.

The NTLM SSP is contained in security.dll. Security.dll contains an
implementation of rc4 internally (I don't know why it doesn't call
the equivalent systemfunctionNNN()). It also calls systemfunction008
at some point which I've never really looked at other than to note
that it is form of DES. This form of NTLM is just like all
the others in SMB, HTTP, etc. in which the server issues an 8
byte challenge and the client responds with a 24 byte response
which is a function of your password hash and the challenge.

As a side affect, providing you aren't in France(?) (there is an
internal call to IsEncryptionPermitted() that checks which locale
is in use), it produces a key to provide packet integrity and
perhaps confidentiality. We don't *need* to bother with this
at the moment since we can get the client to forget about
encrypting the packet if we respond with a certain set of flags
in the RPC authentication trailer where the NTLMSSP data
is stored. However it would be nice to find out what the
key is. It won't be much effort to do, just a bit tedious
setting up the debugger and writing a few test programs
(or do it all from a disassembly).

A lot of this information is available my finding various
documents such as ntsspi.doc, linux-dce-rpc source, kb
articles, microsoft chap extensions rfc, sspi.h and other
header files in the win32 sdk and sample programs, CIFS docs,
dejanews and search engines. It just takes quite a bit of
time to find it.

It would be nice if someone would like to tackle the
NetServerPasswordSet RPC which is likely to be an
implementation of one of the algorithms in the above
documents. All it requires is a bit of research and
the ability to write a few simple C programs to do
stuff like DES and RC4 (using existing libraries).
You don't even have to have an NT server and workstation,
just someone willing to send some ASCII netmon dumps.



More information about the samba-ntdom mailing list