"Secure" channel demystifying?
Dimitry V. Ketov
Dimitry.Ketov at avalon.ru
Wed Jul 7 13:03:31 GMT 2004
> Even in a domain membership NTLM is used for user logon but
> in a somewhat modified and secure manner than normal NTLM,
> and also made more efficient and less demanding on the domain
> controller thanks to the alread established trust between the
> member server and domain controller. The computer account
> password encrypts important fields to protect from
This is my packet capure analysis:
C (Client - Win2K), S (Server - samba 2.2.8), DC (Domain Controller - Win2k)
С ------- Negotiate Req -------> S
C <------ Negotiate Repl ------- S
(Encryption key: XXXX )
C -- Session & Tree Conn Req --> S
(ANSI Pass: AAAA)
(UNICODE Pass: UUUU)
S ------- Negotiate Req -------> DC
S <------ Negotiate Repl ------- DC
S <------ .............. ------> DC
S ------ NetrSamLogon Req -----> DC
(Challege: XXXX)
(NT Challege Resp: UUUU)
(LM Challege Resp: AAAA)
S <----- NetrSamLogon Repl ----- DC
C <- Session & Tree Conn Repl -- S
As I can see, it's just normal LM/NTLM challeges and respones inside NETLOGON "secure" channel, copied from client/server LM/NTLM authetication.
Where is that "protection" ? :(
Furthermore, it seems doesn't conform to NETLOGON authentication, stated in http://www.samba.org/samba/devel/docs/html/Samba-Developers-Guide.html#id2878012
> man-in-the-middle and the NTLM challenge is generated by the
> station, not the server, further protecting from
> man-in-the-middle redirection attacks as the information
> exchanged can not be redirected to allow the attacker to
> authenticate to any station with the users credentials.
More information about the samba-technical
mailing list