encrypted DCE/RPC - progress.

Luke Kenneth Casson Leighton lkcl at switchboard.net
Wed Feb 18 11:44:49 GMT 1998

On Wed, 18 Feb 1998, Luke Kenneth Casson Leighton wrote:

> On Wed, 18 Feb 1998, Luke Kenneth Casson Leighton wrote:
> > paul ashton is exploring the nt lm ssp interface, and the password
> > changing (samr commands 0x38 and 0x37).  i've added dce/rpc parsing
> > support for the "authentication verification" (to be tested shortly :-) in
> > the bind / bind ack, but not the encryption of the "stub data".
> just noticed that this is a 16 byte key from the server, 8 bytes of which
> are zero.  there's nothing from the client in the bind request.

that's because it sends an SMBwriteX, which i will have to implement. 
this will provide the NTLM 8-byte challenge / 24-byte responses system.
it's really really wierd that this _can_ also done in the SMBnegprot /
SMBsessionsetupX to establish the connection over which DCE/RPC is sent,
but this is totally independent of that.

> client-> rpc bind req (negotiate nt lm ssp)
> server-> rpc bind resp (confirm nt lm ssp, send 16 byte stuff)

client -> SMBwriteX (user, domain, wksta + 24 byte lm and nt responses)
server -> SMBwriteX response (just an acknowledgement).

> client-> rpc request  - stub data plus 16 byte "authenticator".
> server-> rpc response - stub data plus 16 byte "authenticator".

More information about the samba-ntdom mailing list