[NTSEC] NTDOM: negotiating either RC4 _or_ some other crypt m echanism

Tue Nov 4 21:00:14 GMT 1997

On Sun, 2 Nov 1997, Russ wrote:

> >if it's correct, then the implications are that if you can sniff an
> entire
> >packet trace of a domain setup / logon / logoff, then you can decrypt
> the
> >long-term session key.
> 
> 1. If the machine is not added to a domain, does the machine password
> stay the same (or even get created)? If not, then the exploit might be
> thwarted by doing the install against a disconnected hub, then adding
> the machine to the domain after setup is complete (since the machine
> password might not be predictable at that point).

ok,

in my first reply to this, i mentioned that it might be the case that 
during the "Welcome to the ..... Domain" setup, the workstation account 
is created (with the initial password).

unless the workstation name is deduced from the NetBIOS session 
connection and this is used, i don't believe this to be the case (again, 
this is all speculation).

i have seen SMB sessions refused with a specific error message (something 
like "no NT LOGON account" during the ctrl-alt-delete stage when a user 
first logs in to a domain.

also, part of the "Welcome to the .... Domain" setup requires that you
return a specific error code to an SMB session setup:

	(NT_STATUS_ALLOTTED_SPACE_EXCEEDED - 0xC000 0099...)

if you do not do this, you will get "error: you are already a member of 
the domain.  please unjoin domain first".  or some-such.

this has me a bit stumped: when exactly do you create the WORKSTATION$
account with the initial default password of workstation?  does it matter?

[all this, and more, will probably never be answered, in next week's
 exciting installment...]

luke

<a href="mailto:lkcl at switchboard.net"  > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Lynx2.7-friendly Home Page   </a>
<br><b> "Apply the Laws of Nature to your environment because your
         environment applies the Laws of Nature to you"               </b>