[NTSEC] NTDOM: negotiating either RC4 _or_ some other crypt m echanism
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Tue Nov 4 21:00:14 GMT 1997
On Sun, 2 Nov 1997, Russ wrote:
> >if it's correct, then the implications are that if you can sniff an
> >packet trace of a domain setup / logon / logoff, then you can decrypt
> >long-term session key.
> 1. If the machine is not added to a domain, does the machine password
> stay the same (or even get created)? If not, then the exploit might be
> thwarted by doing the install against a disconnected hub, then adding
> the machine to the domain after setup is complete (since the machine
> password might not be predictable at that point).
in my first reply to this, i mentioned that it might be the case that
during the "Welcome to the ..... Domain" setup, the workstation account
is created (with the initial password).
unless the workstation name is deduced from the NetBIOS session
connection and this is used, i don't believe this to be the case (again,
this is all speculation).
i have seen SMB sessions refused with a specific error message (something
like "no NT LOGON account" during the ctrl-alt-delete stage when a user
first logs in to a domain.
also, part of the "Welcome to the .... Domain" setup requires that you
return a specific error code to an SMB session setup:
(NT_STATUS_ALLOTTED_SPACE_EXCEEDED - 0xC000 0099...)
if you do not do this, you will get "error: you are already a member of
the domain. please unjoin domain first". or some-such.
this has me a bit stumped: when exactly do you create the WORKSTATION$
account with the initial default password of workstation? does it matter?
[all this, and more, will probably never be answered, in next week's
<a href="mailto:lkcl at switchboard.net" > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Lynx2.7-friendly Home Page </a>
<br><b> "Apply the Laws of Nature to your environment because your
environment applies the Laws of Nature to you" </b>
More information about the samba