Luke Kenneth Casson Leighton
lkcl at samba.org
Thu Jan 25 10:49:52 GMT 2001
> > the user session key [the use of which is part of the security problem] is
> > used as the RC4 key.
> > that's all there is to it.
> > it is "assumed" that the RC4 key - the user session key - cannot be
> > spoofed.
> > which it utterly STUPID because on ntlm v1 it's just MD4(nt password
> > hash).
> I agree with you Luke, it's a bit light on the security side. But on NT,
> in which calls can the RC4 key be spoofed ?
> Unless you have also spoofed the machine password, it's pretty hard and
the workstation trust account is not involved with the
SamrSetInformationUser and SamrGetInfoUser calls, or the LsaSetSecret, or
the LsaQuerySecret (the latter now only works on NT4 SP3 and below, AS/U
and all ports, and Samba TNG).
> And brute forcing the NT hash doesn't give you anything in that case.
correct. however, as i said, the wksta trust is not involved, here.
i have outlined in detail how to security attacks against
SamrGet/SetInfoUser, on NTBUGTRAQ. approx april/may 2000.
basically you look for two SamrSetInfoUser calls and XOR them together.
standard RC4 crypto attack.
More information about the samba-ntdom