Regarding AUTH_CRAP and NTLMv2
Narendra Kumar S.S
ssnkumar at gmail.com
Mon Jan 17 04:50:28 MST 2011
I didn't tell you what I am trying to achieve out of this.
I am trying to write a simple application, which can sign a given SMB
packet.
I use tcpdump/wireshark to capture all the network traffic and take out the
smb packet for which I need to check the signature.
Since I have the complete trace, I know the sequence number of the packet.
The only thing that I don't know is the session key.
For NTLMv1, I am able to calculate the session key using AUTH_CRAP message
to winbind.
But, for NTLMv2, this is not working.
Since, I am not on a server holding the passwords, I cannot get that
database, nor the individual password.
Since, I have the complete network trace, I have the NTLMv2 response.
In your first reply, you had mentioned that:
> The NTLMv2 response includes the name of the computer it
> thought it was talking to. Windows DCs check this, presumably against
> the servicePrincipalName entries
Now, in my case, I am using winbind to get the authentication done.
I am preparing my own AUTH_CRAP message and send it to winbind.
In the AUTH_CRAP message that I am preparing, there is no
servicePrincipalName.
So, how is the Windows DC finding the servicePrincipalName?
Warm Regards,
Narendra
Visit my blogs at:
http://ssnarendrakumar.blogspot.com/
___ ___ __ _
/ __/ / __/ / | / /
_\ \ _ \ \ / /| |/ /
\___/ \___/ /_/ |__/
On Mon, Jan 17, 2011 at 5:11 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2011-01-17 at 17:02 +0530, Narendra Kumar S.S wrote:
> > On Mon, Jan 17, 2011 at 4:51 PM, Andrew Bartlett <abartlet at samba.org>
> > wrote:
> > On Mon, 2011-01-17 at 16:48 +0530, Narendra Kumar S.S wrote:
> > > Hi Andrew,
> > >
> > >
> > > Thanks very much for the quick response.
> > > So, that explains why the AUTH_CRAP with NTLMv2 response
> > is
> > > failing!
> > >
> > >
> > > So, is there any way to overcome this?
> >
> >
> > The best way is to simply hold the full password database on
> > your MITM
> > device. ie, run Samba4 and replicate in the passwords.
> > I cannot get hold of the password database.
> > So, this is ruled out.
>
> If you are not permitted the password DB, for what reason do you think
> you should be able to get at any arbitrary session key?
>
> > It may be possible to bypass the restriction by being a
> > trusted domain,
> > rather than a member server. I've not tried this however.
> > Any idea on how to add it as a trusted domain
> >
> > > Or is it possible to change the computer name hidden in
> > the nt
> > > response?
> >
> >
> > No, the response includes this value in the checksum.
> > If it is possible to change the computer name, I can recalculate the
> > checksum and overwrite the original sum.
>
> Sure, that's all quite possible, if you know the original password.
> Remember, this is a secure challenge-response authentication system :-).
> This aspect in particular is designed to make it harder to break into
> this way.
>
> As you don't know the password (and don't have access to the password
> db), then you can't do this.
>
> > So, is it possible to change the computer name at all?
>
> No. That is why it is embedded in the HMAC checksum.
>
> > > Or will this work, if I have a delegated user?
> >
> >
> > I'm not sure what you mean exactly.
> > In Windows 2003 server, an user can be made as a delegated user.
> > But, since the computer name is involved and not the particular user,
> > this change will not help.
> > I quickly tried this and it failed.
>
> Do you mean the 'trusted for delegation'? If you were being an active,
> visible proxy, then kerberos delegation would be a way to terminate the
> connection you wish to decrypt, and then connect to the target.
>
> But you have not really said what you want to do with the session key,
> so I can only guess.
>
> Andrew Bartlett
>
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Cisco Inc.
>
>
More information about the samba-technical
mailing list