win2k3 to win98

seatec seatec-astronomy at gmx.de
Sun Jul 1 11:08:29 GMT 2007 

Hi everyone,

after talking to Kai Blin on irc for half a night and part of the day he
pointed me to the list.

I wrote a little pseudo-cifs server about 2 years ago, which works fine
for smbclient, XP (SP2) and others. It doesn't offer much, but it
negotiates the challenge/response authentication scheme

The client password gets uppercased, padded with zeros to 14 bytes,
split into two halves of 7 bytes, 2 eight byte DES keys are created out
of those. These 2 keys are used to encrypt a static string -> 2 LM hashes.
Those two 16 byte lm hashes are padded with 5 zeros to 21 bytes, split
into 3 chunks, DES key creation, those are used to encrypt the challenge
-> 24 byte ntlm hash. Thats the scheme we are talking about.

2 nights ago I noticed it doesnt work for win2k3. Knowing the plaintext
password and seeing the challenge on the wire, I can create the hash,
and I can see smbclient or XP send exactly what I created. Win2k3 also
sends a 24 byte hash, but that one is completely off.

Whats even more strange: I setup a win98 in vmware and made win2k3
connect to a share. I see the whole session negotiation, challenge/hash
exchange and everything, and again the hash "should be" different than
win2k3 is sending. But not only is the hash I see on the wire different,
win98 even accepts that hash and allows the client to log in with it.

I don't have the slightest idea what kind of hash win2k3 is sending, and
why it works.

Last night I compared the pcap of a winxp logging into my little pseudo
server with a win2k3 logging in. Both clients send the same flags, the
same fields(different account and machine names. but that shouldnt
matter), the same everything. As the plaintext password is the same and
the challenge for this testcase was static, they should both send the
same hash. smbclient sends what xp sends. win2k3 also sends a 24 byte
hash, but it's different.

If anyone could tell me what kind of hash win2k3 is sending there I'd be
 grateful. I can provide pcaps, plaintext password, hash, session
key(challenge), ...


seatec

More information about the samba-technical mailing list