win2k3 to win98
Christopher R. Hertel
crh at ubiqx.mn.org
Sun Jul 1 19:08:31 GMT 2007
That should get you most of the way from the old LM hash through NTLM, LMv2,
Once you've covered that, you may want to look at:
and, of course, Wikipedia.
The basic problem is that authentication is a moving target. Microsoft,
quite reasonably, has to keep introducing stronger authentication methods
and defaulting to stricter requirements. Newer systems may, for instance,
require Kerberos authentication.
I hope that helps.
> Hi everyone,
> after talking to Kai Blin on irc for half a night and part of the day he
> pointed me to the list.
> I wrote a little pseudo-cifs server about 2 years ago, which works fine
> for smbclient, XP (SP2) and others. It doesn't offer much, but it
> negotiates the challenge/response authentication scheme
> The client password gets uppercased, padded with zeros to 14 bytes,
> split into two halves of 7 bytes, 2 eight byte DES keys are created out
> of those. These 2 keys are used to encrypt a static string -> 2 LM hashes.
> Those two 16 byte lm hashes are padded with 5 zeros to 21 bytes, split
> into 3 chunks, DES key creation, those are used to encrypt the challenge
> -> 24 byte ntlm hash. Thats the scheme we are talking about.
> 2 nights ago I noticed it doesnt work for win2k3. Knowing the plaintext
> password and seeing the challenge on the wire, I can create the hash,
> and I can see smbclient or XP send exactly what I created. Win2k3 also
> sends a 24 byte hash, but that one is completely off.
> Whats even more strange: I setup a win98 in vmware and made win2k3
> connect to a share. I see the whole session negotiation, challenge/hash
> exchange and everything, and again the hash "should be" different than
> win2k3 is sending. But not only is the hash I see on the wire different,
> win98 even accepts that hash and allows the client to log in with it.
> I don't have the slightest idea what kind of hash win2k3 is sending, and
> why it works.
> Last night I compared the pcap of a winxp logging into my little pseudo
> server with a win2k3 logging in. Both clients send the same flags, the
> same fields(different account and machine names. but that shouldnt
> matter), the same everything. As the plaintext password is the same and
> the challenge for this testcase was static, they should both send the
> same hash. smbclient sends what xp sends. win2k3 also sends a 24 byte
> hash, but it's different.
> If anyone could tell me what kind of hash win2k3 is sending there I'd be
> grateful. I can provide pcaps, plaintext password, hash, session
> key(challenge), ...
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical