Authentication ....

Luke Kenneth Casson Leighton lkcl at
Thu Jan 25 10:49:52 GMT 2001

> > the user session key [the use of which is part of the security problem] is
> > used as the RC4 key.
> > 
> > that's all there is to it.
> > 
> > it is "assumed" that the RC4 key - the user session key - cannot be
> > spoofed.
> > 
> > which it utterly STUPID because on ntlm v1 it's just MD4(nt password
> > hash).
> I agree with you Luke, it's a bit light on the security side. But on NT,
> in which calls can the RC4 key be spoofed ?

see below.
> Unless you have also spoofed the machine password, it's pretty hard and
> long.

the workstation trust account is not involved with the
SamrSetInformationUser and SamrGetInfoUser calls, or the LsaSetSecret, or
the LsaQuerySecret (the latter now only works on NT4 SP3 and below, AS/U
and all ports, and Samba TNG).
> And brute forcing the NT hash doesn't give you anything in that case.

correct.  however, as i said, the wksta trust is not involved, here.

i have outlined in detail how to security attacks against
SamrGet/SetInfoUser, on NTBUGTRAQ.  approx april/may 2000.

basically you look for two SamrSetInfoUser calls and XOR them together.

standard RC4 crypto attack.

More information about the samba-ntdom mailing list