SamrSetInformation2 (was Re: coding binge coming on.)

Luke Kenneth Casson Leighton lkcl at
Thu Mar 11 18:53:22 GMT 1999

8 byte session key is calculated from trust account.  it's stored on a
per-connection basis in struct pipes_struct, see credentials.c.

On Wed, 10 Mar 1999, Todd Sabin wrote:

> Luke wrote:
> > > > that requires info from microsoft on how they obfuscate an area of the rpc
> > > > code that contains six buffers (four unicode strings: two passwords).
> > > > 
> > > 
> > > The SamrSetInformationUser2 call looks to have some ugly stuff in it.  Is
> > > this the one you're referring to?  I have the sniff if you want it.
> > 
> > it's going to be full, in the middle, of total garbage, probably
> > surrounded by mostly null chars.
> > 
> Yes, it looks like SamrSetInformationUser2.  There's a big block of
> gibberish in the middle.  If it's like other MS stuff, it's probably
> a block of 0x204 characters encrypted by the session key and arcfour.
> After decryption, the last four of the 0x204 bytes will be the real
> length of the password (N), the password will be at the last N bytes
> of the first 0x200 bytes, and the stuff at the beginning of the 0x200
> bytes will just be garbage.  Of course, that's just a guess.
> How does NT generate its session keys?  Is knowing the password and
> having the sniff enough to determine the session key, or would I have
> to grab it from system memory at the time it happens?  I.e., how
> can I verify the above?
> Todd

<a href="mailto:lkcl at"   > Luke Kenneth Casson Leighton  </a>
<a href=""> Samba and Network Development </a>
<a href=""        > Samba Web site                </a>

Luke Kenneth Casson Leighton        |  Direct Dial   : (678) 443-6183
Systems Engineer / ISS XForce Team  |  ISS Front Desk: (678) 443-6000
Internet Security Systems, Inc.     |  ISS Fax       : (678) 443-6477    *Adaptive Network Security for the Enterprise*
     ISS Connect   -   International User Conference   -  May '99

More information about the samba-technical mailing list