Authentication ....
Luke Kenneth Casson Leighton
lkcl at samba.org
Thu Jan 25 10:49:52 GMT 2001
> > the user session key [the use of which is part of the security problem] is
> > used as the RC4 key.
> >
> > that's all there is to it.
> >
> > it is "assumed" that the RC4 key - the user session key - cannot be
> > spoofed.
> >
> > which it utterly STUPID because on ntlm v1 it's just MD4(nt password
> > hash).
>
> I agree with you Luke, it's a bit light on the security side. But on NT,
> in which calls can the RC4 key be spoofed ?
see below.
> Unless you have also spoofed the machine password, it's pretty hard and
> long.
the workstation trust account is not involved with the
SamrSetInformationUser and SamrGetInfoUser calls, or the LsaSetSecret, or
the LsaQuerySecret (the latter now only works on NT4 SP3 and below, AS/U
and all ports, and Samba TNG).
> And brute forcing the NT hash doesn't give you anything in that case.
correct. however, as i said, the wksta trust is not involved, here.
i have outlined in detail how to security attacks against
SamrGet/SetInfoUser, on NTBUGTRAQ. approx april/may 2000.
basically you look for two SamrSetInfoUser calls and XOR them together.
standard RC4 crypto attack.
More information about the samba-ntdom
mailing list