Regarding AUTH_CRAP and NTLMv2
Andrew Bartlett
abartlet at samba.org
Mon Jan 17 04:10:02 MST 2011
On Mon, 2011-01-17 at 15:23 +0530, Narendra Kumar S.S wrote:
> Hi,
>
> I am trying to write a program, which does AUTH_CRAP and gets the
> session key.
> With NTLMv1, the AUTH_CRAP gets a successful response and can get the
> session key.
> But, with NTLMv2, the AUTH_CRAP fails.
>
> For doing this experiment, my setup is like this.
> 1. I have a windows 2003R2 server with AD/DC.
> 2. I am running winbindd on my Ubuntu box and execute smbclient from
> there.
> 3. I capture the network trace and copy the challenge, lm response, nt
> response, encrypted password, username, domainname and workstation name.
> I am putting all this info in the request packet and sending to
> winbindd - this is done from a third computer running Centos 5.4 (this m/c
> has also joined the domain using net ads join and running winbindd).
> If the nt response is of length 24 (that is NTLMv1), the AUTH_CRAP
> returns a success.
> If the nt response is greater than 24 (that is NTLMv2), the AUTH_CRAP
> returns a failure.
>
> So, does Windows 2003R2 server expects any other information other than
> the things that I am sending?
> How can NTLMv2 fail, while NTLMv1 succeeds!?
This is actually by design.
Against Windows DCs (I really should implement this for Samba too...),
NTLMv2 includes a small protection against this 'man in the middle
attack'. The NTLMv2 response includes the name of the computer it
thought it was talking to. Windows DCs check this, presumably against
the servicePrincipalName entries, and refuse the login otherwise.
That is why Samba 3.6 will default to NTLMv2 responses by default, as
otherwise any stolen laptop provides the power to 'man in the middle'
the entire enterprise.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the samba-technical
mailing list