win2k3 to win98

Christopher R. Hertel crh at ubiqx.mn.org
Sun Jul 1 19:08:31 GMT 2007 

Seatec:

Start here:

  http://ubiqx.org/cifs/SMB.html#SMB.8

That should get you most of the way from the old LM hash through NTLM, LMv2,
and NTLMv2.

Once you've covered that, you may want to look at:

  http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/
and
  http://davenport.sourceforge.net/ntlm.html
and, of course, Wikipedia.

The basic problem is that authentication is a moving target.  Microsoft,
quite reasonably, has to keep introducing stronger authentication methods
and defaulting to stricter requirements.  Newer systems may, for instance,
require Kerberos authentication.

I hope that helps.

Chris -)-----

seatec wrote:
> Hi everyone,
> 
> after talking to Kai Blin on irc for half a night and part of the day he
> pointed me to the list.
> 
> I wrote a little pseudo-cifs server about 2 years ago, which works fine
> for smbclient, XP (SP2) and others. It doesn't offer much, but it
> negotiates the challenge/response authentication scheme
> 
> The client password gets uppercased, padded with zeros to 14 bytes,
> split into two halves of 7 bytes, 2 eight byte DES keys are created out
> of those. These 2 keys are used to encrypt a static string -> 2 LM hashes.
> Those two 16 byte lm hashes are padded with 5 zeros to 21 bytes, split
> into 3 chunks, DES key creation, those are used to encrypt the challenge
> -> 24 byte ntlm hash. Thats the scheme we are talking about.
> 
> 2 nights ago I noticed it doesnt work for win2k3. Knowing the plaintext
> password and seeing the challenge on the wire, I can create the hash,
> and I can see smbclient or XP send exactly what I created. Win2k3 also
> sends a 24 byte hash, but that one is completely off.
> 
> Whats even more strange: I setup a win98 in vmware and made win2k3
> connect to a share. I see the whole session negotiation, challenge/hash
> exchange and everything, and again the hash "should be" different than
> win2k3 is sending. But not only is the hash I see on the wire different,
> win98 even accepts that hash and allows the client to log in with it.
> 
> I don't have the slightest idea what kind of hash win2k3 is sending, and
> why it works.
> 
> Last night I compared the pcap of a winxp logging into my little pseudo
> server with a win2k3 logging in. Both clients send the same flags, the
> same fields(different account and machine names. but that shouldnt
> matter), the same everything. As the plaintext password is the same and
> the challenge for this testcase was static, they should both send the
> same hash. smbclient sends what xp sends. win2k3 also sends a 24 byte
> hash, but it's different.
> 
> If anyone could tell me what kind of hash win2k3 is sending there I'd be
>  grateful. I can provide pcaps, plaintext password, hash, session
> key(challenge), ...
> 
> 
> seatec

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list