SamrSetInformation2 (was Re: coding binge coming on.)
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Thu Mar 11 18:53:22 GMT 1999
8 byte session key is calculated from trust account. it's stored on a
per-connection basis in struct pipes_struct, see credentials.c.
On Wed, 10 Mar 1999, Todd Sabin wrote:
> Luke wrote:
> > > > that requires info from microsoft on how they obfuscate an area of the rpc
> > > > code that contains six buffers (four unicode strings: two passwords).
> > > >
> > >
> > > The SamrSetInformationUser2 call looks to have some ugly stuff in it. Is
> > > this the one you're referring to? I have the sniff if you want it.
> > it's going to be full, in the middle, of total garbage, probably
> > surrounded by mostly null chars.
> Yes, it looks like SamrSetInformationUser2. There's a big block of
> gibberish in the middle. If it's like other MS stuff, it's probably
> a block of 0x204 characters encrypted by the session key and arcfour.
> After decryption, the last four of the 0x204 bytes will be the real
> length of the password (N), the password will be at the last N bytes
> of the first 0x200 bytes, and the stuff at the beginning of the 0x200
> bytes will just be garbage. Of course, that's just a guess.
> How does NT generate its session keys? Is knowing the password and
> having the sniff enough to determine the session key, or would I have
> to grab it from system memory at the time it happens? I.e., how
> can I verify the above?
<a href="mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton </a>
<a href="http://www.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://samba.org" > Samba Web site </a>
Luke Kenneth Casson Leighton | Direct Dial : (678) 443-6183
Systems Engineer / ISS XForce Team | ISS Front Desk: (678) 443-6000
Internet Security Systems, Inc. | ISS Fax : (678) 443-6477
http://www.iss.net/ *Adaptive Network Security for the Enterprise*
ISS Connect - International User Conference - May '99
More information about the samba-technical