"Secure" channel demystifying?

Dimitry V. Ketov Dimitry.Ketov at avalon.ru
Wed Jul 7 13:03:31 GMT 2004

> Even in a domain membership NTLM is used for user logon but 
> in a somewhat modified and secure manner than normal NTLM, 
> and also made more efficient and less demanding on the domain 
> controller thanks to the alread established trust between the 
> member server and domain controller. The computer account 
> password encrypts important fields to protect from 

This is my packet capure analysis:
C (Client - Win2K), S (Server - samba 2.2.8), DC (Domain Controller - Win2k)

С ------- Negotiate Req -------> S
C <------ Negotiate Repl ------- S
      (Encryption key: XXXX )
C -- Session & Tree Conn Req --> S
        (ANSI Pass: AAAA)
       (UNICODE Pass: UUUU)
                                 S ------- Negotiate Req -------> DC
                                 S <------ Negotiate Repl ------- DC
                                 S <------ .............. ------> DC
                                 S ------ NetrSamLogon Req -----> DC
                                          (Challege: XXXX)
                                       (NT Challege Resp: UUUU)
                                       (LM Challege Resp: AAAA)
                                 S <----- NetrSamLogon Repl ----- DC
C <- Session & Tree Conn Repl -- S

As I can see, it's just normal LM/NTLM challeges and respones inside NETLOGON "secure" channel, copied from client/server LM/NTLM authetication.

Where is that "protection" ? :(
Furthermore, it seems doesn't conform to NETLOGON authentication, stated in http://www.samba.org/samba/devel/docs/html/Samba-Developers-Guide.html#id2878012

> man-in-the-middle and the NTLM challenge is generated by the 
> station, not the server, further protecting from 
> man-in-the-middle redirection attacks as the information 
> exchanged can not be redirected to allow the attacker to 
> authenticate to any station with the users credentials.

More information about the samba-technical mailing list