encrypted DCE/RPC - progress.

Luke Kenneth Casson Leighton lkcl at switchboard.net
Tue Feb 17 18:08:54 GMT 1998

On Wed, 18 Feb 1998, Paul Ashton wrote:

> At 15:06 17/02/98 , Luke Kenneth Casson Leighton wrote:
> >we don't know what the nt lm ssp encryption is: the default appears to be
> >rc4, but we don't know what the key is.  8 bytes come from the client, 8
> >from the server, and there should be some fancy function to create a key
> >for the rc4 decryption.
> The NTLM SSP is contained in security.dll. Security.dll contains an
> implementation of rc4 internally (I don't know why it doesn't call
> the equivalent systemfunctionNNN()). It also calls systemfunction008
> at some point which I've never really looked at other than to note
> that it is form of DES.

[probably a... 8challenge/24response calculator.  which i have some
vague - 4 months ago - recollection is used in NETLOGON.DLL].

> This form of NTLM is just like all
> the others in SMB, HTTP, etc. in which the server issues an 8
> byte challenge and the client responds with a 24 byte response
> which is a function of your password hash and the challenge.

but... but...  ah, ok.  so the "bind ack response" contains the 8 byte

but... but... where does the "24 byte response" come in to play?  i've
missed something, haven't i.  all i've seen so far is:

client -> bind req (no auth stuff)
server -> bind ack (8 byte challenge, padded to 16 bytes)

client -> rpc request (with 16 byte "authentication verifier")
server -> rpc response (with 16 byte "authentication verifier")

and unless i'm missing something, there's no 24 byte response in there.
i'll have another look at the netmonitor trace, though.

> [...]
> (or do it all from a disassembly).

could people on this list please bear in mind the following:

according to ec law, where information required for interoperability is
not available by any other means, reverse engineering is not considered
to be illegal.

some people may, however, be seriously offended (the person responsible
for these archives) if anyone posts reverse engineered source code to this
list.  please therefore only publish specifications to this list and
simultaneously to other lists / newsgroups.

> It would be nice if someone would like to tackle the
> NetServerPasswordSet RPC which is likely to be an
> implementation of one of the algorithms in the above
> documents. All it requires is a bit of research and
> the ability to write a few simple C programs to do
> stuff like DES and RC4 (using existing libraries).
> You don't even have to have an NT server and workstation,
> just someone willing to send some ASCII netmon dumps.

... to be sent, you mean?  hm.  i think there were some people who offered
to write small programs, a few months ago: i had some byte ordering issues
to contend with on sparcs.

do we have any programmers on this list?


More information about the samba-ntdom mailing list