Password encryption in 2.2.0

Richard Sharpe sharpe at ns.aus.com
Sat Apr 28 05:56:55 GMT 2001


At 01:10 AM 4/28/01 -0400, Michael B. Allen wrote:
>On Sat, Apr 28, 2001 at 02:06:30PM +0900, Richard Sharpe wrote:
>> >Actually I think I understand. If the algo is:
>> >
>> >P24 = E(MD4(U(PN) + 5 NULLs, C8))
>> >
>> >Then your just doing the:
>> >
>> >MD4(U(PN) + 5 NULLs
>> >
>> >part first and that's whats in the smbpassword file? 
>> 
>> Close ... Just the MD4(PW) is kept in the smbpasswd file for the NT
>> Password. It is not converted to upper case.
>> 
>> However, the LanMan hash is also kept there, and that is really bogus. It
>> does UC the password, and splits it into two 7-Char (56-bit) keys to DES.
>
>Ok. Curiosity completely satisfied :~) Thanks.
>
>This reminds me of something that hung me up pretty bad when I did this
>auth for jcifs. The CIFS docs read:
>
>2.10.1 Pre NT LM 0.12
>
>o P14 is a 14 byte string containing the user's password in clear text,
>upper cased, padded with spaces.
>
>... wtih spaces?!

Oh yes ... Have a look at ntcrack ... Because of the space padding, the
case folding, and the fact that the up-to-14-char password is split into
two 7-char keys, LM hashes can be relatively easily broken ...

Although, I was under the impression that they were padded with NULL, just
like the P21 ...

>:~)
>
>-- 
>signature pending
>

Regards
-------
Richard Sharpe, sharpe at ns.aus.com
Samba (Team member, www.samba.org), Ethereal (Team member, www.ethereal.com)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba






More information about the samba-technical mailing list