(no subject)
Luke Kenneth Casson Leighton
lkcl at samba-tng.org
Sun Jun 16 15:57:06 GMT 2002
a reminder.
i'm still extremely distressed and upset with you.
the only way for me to deal with this is not to deal
with it.
i still receive messages from people asking for my
assistance.
and it distresses me to have to turn them down.
you still have a lot to answer for, and it's been over
two years now.
you think you are so clever, that you have to have an
answer for everything, to win everything, to control
everything.
sometimes by winning you cause people pain and distress
and you lose more than you could possibly have gained.
l.
p.s. if you have an answer to this guy's questions, please
forward them to me, i'll forward them to him.
------
hiya,
well i been out the picture so long it'd take me a while
to answer you, and it's time i really don't have right
now.
two years ago, i would definitely help you out, no question.
now all this does is remind me of the opportunities that
have been forcibly lost.
l.
--
----------------------------------------------------------
this message is private, confidential, and is intented for
the specified recipients only. if you received in error,
altered, deleted, modified, destroyed or interfered with
the contents of this message, in whole or in part, please
inform the sender (that's me), immediately.
if you, the recipient, reply to this message, and do not
then receive a response, please consider your reply to have
been lost or deliberately destroyed: i *always* acknowledge
personal email received. please therefore take appropriate
action and use appropriate protocols to ensure effective
communication.
thank you.
----- Forwarded message from -----
Envelope-to: lkcl at localhost
From:
X-Confirm-Reading-To:
Disposition-Notification-To:
Return-Receipt-To:
To: lkcl at samba-tng.org
Hello Luke,
I really want to start sleeping at night ........
Investigating the TNG source code I reached the function
"create_ntlmssp_bind_cont" in "cli_pipe_ntlmssp.c"
Please let me know if I'm on the right way.....
-> pwd_make_lm_nt_owf(&usr->pwd, a->ntlmssp_chal.challenge, usr_sess_key);
Here the LM and NT OWFs are created and DES encrypted using the server
challenge from a previous packet from the server.
-> create_ntlmssp_rpc_bind_resp(&usr->pwd, usr->domain,usr->user_name, global_myname,
-> a->ntlmssp_chal.neg_flags,rpc_call_id,
-> &hdra, &hdr_autha, &auth_resp);
The response NTLMSSP packet is created
-> cli_set_con_usr_sesskey(con, usr_sess_key);
The session Key is set
-> pwd_get_lm_nt_owf(&usr->pwd, lm_owf, NULL, NULL);
-> pwd_get_lm_nt_16(&usr->pwd, lm_hash, NULL);
Here the LM OWF and LM Hash (I suppose the first 16 bytes of LM OWF)
are inserted in lm_owf and lm_hash variables.
-> NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
This is another DES encryption of the LM OWF generating a 24 bytes
value used for another RC4 encryption that follows....
-> {
-> unsigned char j = 0;
-> int ind;
-> unsigned char k2[8];
-> memcpy(k2, p24, 5);
-> k2[5] = 0xe5;
-> k2[6] = 0x38;
-> k2[7] = 0xb0;
This is and RC4 Table Initialization
-> for (ind = 0; ind < 256; ind++){
-> a->ntlmssp_hash[ind] = (unsigned char)ind;
-> }
This is an RC4 Table Expansion using the 8 bytes (5 + 0xe5 0x38 0xb0)
Key derived from the above NTLMSSPOWFencrypt function.
-> for (ind = 0; ind < 256; ind++)
-> {
-> unsigned char tc;
-> j += (a->ntlmssp_hash[ind] + k2[ind%8]);
-> tc = a->ntlmssp_hash[ind];
-> a->ntlmssp_hash[ind] = a->ntlmssp_hash[j];
-> a->ntlmssp_hash[j] = tc;
-> }
-> a->ntlmssp_hash[256] = 0;
-> a->ntlmssp_hash[257] = 0;
-> }
Data is not encrypted here this is only a preparation of the RC4
table. The RC4 encryption routine is the function
"static void NTLMSSPcalc_ap( struct ntlmssp_auth_struct *a, unsigned char *data, int len)"
that uses the RC4 pre-created table a->ntlmssp_hash.
It is not clear to me if at this point this RC4 encryption is used to
encrypt the entire data or the AUTH structure only.....
>From the other side (the server side) I reached the function
"api_ntlmssp_verify" in "srv_pipe_ntlmssp.c" that seems to be written by/for you...
-> if (l->auth_validated)
-> {
-> /************************************************************/
-> /****************** lkclXXXX - NTLMv1 ONLY! *****************/
-> /************************************************************/
-> uchar p24[24];
-> uchar j = 0;
-> int ind;
-> uchar password[16];
-> uchar k2[16];
-> int len;
-> ZERO_STRUCT(password);
I really have to figure out the contents of info3.padding.....
Can you confirm to me that these are the first 8 byte of the LM Hash
transmitted on the network ?????!!?!?!?!?!?
-> memcpy(password, info3.padding, 8);
Here there is another DES encryption/decryption of the lm_owf using
the password (8 bytes ?????) as key -> generating a 24 bytes key used
in the following RC4 expansion .....
-> NTLMSSPOWFencrypt(password, lm_owf, p24);
-> if (True)
-> {
-> len = 8;
-> memcpy(k2, p24, 5);
-> k2[5] = 0xe5;
-> k2[6] = 0x38;
-> k2[7] = 0xb0;
-> }
-> else
-> {
-> len = 16;
-> memcpy(k2, p24, 16);
-> }
Here the RC4 Table Initialization
-> for (ind = 0; ind < 256; ind++) {
-> a->ntlmssp_hash[ind] = (uchar) ind;
-> }
Here the RC4 Table Expansion
-> for (ind = 0; ind < 256; ind++)
-> {
-> uchar tc;
-> j += (a->ntlmssp_hash[ind] + k2[ind % len]);
-> tc = a->ntlmssp_hash[ind];
-> a->ntlmssp_hash[ind] = a->ntlmssp_hash[j];
-> a->ntlmssp_hash[j] = tc;
-> }
-> a->ntlmssp_hash[256] = 0;
-> a->ntlmssp_hash[257] = 0;
-> a->ntlmssp_seq_num = 0;
-> }
The RC4 encryption routine is done in another function:
"void NTLMSSPcalc_p(ntlmssp_auth_struct * a, uchar * data, int len)"
another time it is not clear what is the data to be encrypted,
decrypted.......
At this point (4.12 am) I think that I really need some debugging
informations...
I've modified the file "cliconnect.c" and "clientgen.c" in the way
that Samba can handle NTLMSSP packets but I really cannot make it work
with them.
I'm using the "rpclient", NTLMv2 disabled and encrypted password = yes...
The error code is "failed session setup" from the
/* first session negotiation stage */
How can I do to make Samba TNG working with NTLMSSP packets ????
I really appreciate any kind of help from you, I promise that I'll buy
ten copies of your book....
My goal is to check the correctness of a password sent on the network
using NTLMv1 and NTLMSSP packets (security blobs). An example of the
parameters grabbed from the network are:
(I'm on a Win2k workstation with a local security policy for LM
Authentication level set as "Send NTLM response only" and I'm
connecting to another Win2k workstation)
Username = Test;
Domain = TEST
Local Policy Setting = NTLMv1 only (NTLMSSP);
LM Hash = C0E61B6CA7808A030000000000000000;
NT Hash = 5D942D84DA6ECB92754A09CB4508BAD8;
Server Challange = C36EDAF998C401FA;
LM Client Challange = 0000000000000000;
NT Client Challange = D13D968B16C00063;
Using these parameters I want to check the correctness of the password
that is "test".
thanks in advance....
--
Best regards,
----- End forwarded message -----
--
----------------------------------------------------------
this message is private, confidential, and is intented for
the specified recipients only. if you received in error,
altered, deleted, modified, destroyed or interfered with
the contents of this message, in whole or in part, please
inform the sender (that's me), immediately.
if you, the recipient, reply to this message, and do not
then receive a response, please consider your reply to have
been lost or deliberately destroyed: i *always* acknowledge
personal email received. please therefore take appropriate
action and use appropriate protocols to ensure effective
communication.
thank you.
More information about the samba-technical
mailing list