Regarding AUTH_CRAP and NTLMv2

Narendra Kumar S.S ssnkumar at gmail.com
Mon Jan 17 06:11:20 MST 2011


Hello Volker and Andrew,

    One final clarification.
    I am sending the AUTH_CRAP from my own code to winbindd and winbindd
sends it to DC/AD.
    Now the server has the capability to use the NTLMv2 response to find out
the original user.
    To verify the authenticity, it has to know who is sending the NTLMv2 (in
this case, my code is sending it thru winbindd).
    I am filling up the AUTH_CRAP with the same information that I received
from server and client.
    So, how does the DC/AD get the serverPrincipalName to verify with the
information that it got in the NTLMv2 response?

Warm Regards,
Narendra

Visit my blogs at:
http://ssnarendrakumar.blogspot.com/
   ___    ___    __    _
  /  __/  /  __/  /     | / /
_\   \   _ \   \   /   /| |/ /
\___/ \___/   /_/ |__/


On Mon, Jan 17, 2011 at 6:08 PM, Narendra Kumar S.S <ssnkumar at gmail.com>wrote:

> Hello Volker and Andrew,
>
>     Thanks for the detailed clarifications.
>     That really helps.
>
> Warm Regards,
> Narendra
>
> Visit my blogs at:
> http://ssnarendrakumar.blogspot.com/
>    ___    ___    __    _
>   /  __/  /  __/  /     | / /
> _\   \   _ \   \   /   /| |/ /
> \___/ \___/   /_/ |__/
>
>
> On Mon, Jan 17, 2011 at 5:42 PM, Volker Lendecke <
> Volker.Lendecke at sernet.de> wrote:
>
>> On Mon, Jan 17, 2011 at 05:20:28PM +0530, Narendra Kumar S.S wrote:
>> > I didn't tell you what I am trying to achieve out of this.
>> > I am trying to write a simple application, which can sign a given SMB
>> > packet.
>> > I use tcpdump/wireshark to capture all the network traffic and take out
>> the
>> > smb packet for which I need to check the signature.
>> > Since I have the complete trace, I know the sequence number of the
>> packet.
>> > The only thing that I don't know is the session key.
>> > For NTLMv1, I am able to calculate the session key using AUTH_CRAP
>> message
>> > to winbind.
>> > But, for NTLMv2, this is not working.
>>
>> And this is by design. What you want to achieve is
>> cryptographically not possible. No chance. There is just not
>> enough information in the wire traffic to do what you want.
>> This is one important reason that NTLMv2 is regarded more
>> secure than older authentication protocols: These MITM
>> attacks have been made impossible.
>>
>> With best regards,
>>
>> Volker
>>
>> --
>> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
>> phone: +49-551-370000-0, fax: +49-551-370000-9
>> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
>>
>
>


More information about the samba-technical mailing list