NTDOM: SamLogon validation of one workstation to another via a PDC.

Luke Kenneth Casson Leighton lkcl at switchboard.net
Sun Feb 1 20:46:28 GMT 1998 

a piece of the puzzle of NT Domains is attached, which needs solving.

this packet is activated when a user of one NT workstation accesses a
second NT workstation, the second NT workstation being a member of a
domain.  it is therefore a critically important part of the NT 3.5 / 4.0
Domain protocol, as it allows a user on one workstation to access files on
another workstation, securely.

the 8 byte challenge (LmChallenge) and 24 byte lm and nt responses
(LmChallengeResponse and NtChallengeResponse) of the SMBnegprot and
SMBsessionsetupX between the first and second NT workstations are sent to
the PDC, in the DCE/RPC packet shown below.  presumably the challenge /
responses are two-way obfuscated. 

the PDC decrypts the challenge and responses (presumably) and then does a
standard SMB password validate, as if it had issued the SMBnegprot
response, and received the SMBsessionsetupX query itself.

does anyone know what obfuscation / encryption is used to encode the
challenge and responses in the packet below?

luke (samba team)

<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton  </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>



Network Monitor trace  Sun 02/01/98 17:54:51  \\regent\root\info\sam_challenge.txt

************************************************************************************************************************************************************
Frame   Time    Src MAC Addr   Dst MAC Addr   Protocol  Description                                                       Src Other Addr  Dst Other Addr  Type Other Addr
32      8.914   KNIGHT         REGENT         R_LOGON   RPC Client call logon:NetrLogonSamLogon(..)                       KNIGHT          REGENT          IP

+ FRAME: Base frame properties
+ ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD Internet Protocol
+ IP: ID = 0x9205; Proto = TCP; Len: 458
+ TCP: .AP..., len:  418, seq:   1442186-1442603, ack:2491898253, win: 8313, src: 1032  dst:  139 (NBT Session) 
+ NBT: SS: Session Message, Len: 414
+ SMB: C transact TransactNmPipe, FID = 0x801
+ MSRPC: c/o RPC Request:      call 0x6  opnum 0x2  context 0x0  hint 0x13A
  R_LOGON: RPC Client call logon:NetrLogonSamLogon(..)
      R_LOGON: LOGONSRV_HANDLE LogonServer = \\REGENT
      R_LOGON: wchar_t ComputerName = KNIGHT
      R_LOGON: PNETLOGON_AUTHENTICATOR Authenticator {..}
          R_LOGON: NETLOGON_CREDENTIAL Credential {..}
              R_LOGON: CHAR data [..] = 89 97 14 C1 23 C6 7B BB
          R_LOGON: DWORD timestamp = 886355494 (0x34D4B626)
      R_LOGON: PNETLOGON_AUTHENTICATOR ReturnAuthenticator {..}
          R_LOGON: NETLOGON_CREDENTIAL Credential {..}
              R_LOGON: CHAR data [..] = B9 6E F6 77 00 00 14 00
          R_LOGON: DWORD timestamp = 0 (0x0)
      R_LOGON: NETLOGON_LOGON_INFO_CLASS LogonLevel = 2 (0x2)
      R_LOGON: PNETLOGON_LEVEL LogonInformation {..}
          R_LOGON: Switch Value = 2 (0x2)
          R_LOGON: PNETLOGON_NETWORK_INFO LogonNetwork {..}
              R_LOGON: NETLOGON_LOGON_IDENTITY_INFO Identity {..}
                  R_LOGON: UNICODE_STRING LogonDomainName {..}
                      R_LOGON: USHORT Length = 10 (0xA)
                      R_LOGON: USHORT MaximumLength = 10 (0xA)
                      R_LOGON: USHORT * Buffer = 1388208 (0x152EB0)
                  R_LOGON: ULONG ParameterControl = 2 (0x2)
                  R_LOGON: OLD_LARGE_INTEGER LogonId {..}
                      R_LOGON: ULONG LowPart = 35800 (0x8BD8)
                      R_LOGON: LONG HighPart = 0 (0x0)
                  R_LOGON: UNICODE_STRING UserName {..}
                      R_LOGON: USHORT Length = 8 (0x8)
                      R_LOGON: USHORT MaximumLength = 8 (0x8)
                      R_LOGON: USHORT * Buffer = 1388218 (0x152EBA)
                  R_LOGON: UNICODE_STRING Workstation {..}
                      R_LOGON: USHORT Length = 16 (0x10)
                      R_LOGON: USHORT MaximumLength = 16 (0x10)
                      R_LOGON: USHORT * Buffer = 1388226 (0x152EC2)
              R_LOGON: LM_CHALLENGE LmChallenge {..}
                  R_LOGON: CHAR data [..] = FB DA 8B 7F 9B 0B C1 9E
              R_LOGON: STRING NtChallengeResponse {..}
                  R_LOGON: USHORT Length = 24 (0x18)
                  R_LOGON: USHORT MaximumLength = 24 (0x18)
                  R_LOGON: PCHAR Buffer = 1388242 (0x152ED2)
              R_LOGON: STRING LmChallengeResponse {..}
                  R_LOGON: USHORT Length = 24 (0x18)
                  R_LOGON: USHORT MaximumLength = 24 (0x18)
                  R_LOGON: PCHAR Buffer = 1388266 (0x152EEA)
              R_LOGON: USHORT * Buffer [..] = 0054 0045 0053 0054 0033
              R_LOGON: USHORT * Buffer [..] = 006C 006B 0063 006C
              R_LOGON: USHORT * Buffer [..] = 005C 005C 0052 0045 0047 0045 004E 0054
              R_LOGON: PCHAR Buffer [..] = 42 4C FF D2 71 BB 8F 24 4B 9F 86 8B A7 A3 DA D3 96 14 88 45 7E BB B5 28
              R_LOGON: PCHAR Buffer [..] = 5D F4 44 C6 A2 CC DE 7E 22 5F C2 F6 B4 C6 3B 2D C1 CF B0 29 F5 D4 92 2E
      R_LOGON: NETLOGON_VALIDATION_INFO_CLASS ValidationLevel = 3 (0x3)

00000:  00 C0 5C 03 12 1E 00 80 C8 81 8F 9D 08 00 45 00   ..\...........E.
00010:  01 CA 92 05 40 00 80 06 B1 B7 C2 9F 18 18 C2 9F   .... at ...........
00020:  18 1A 04 08 00 8B 00 16 01 8A 94 87 59 8D 50 18   ............Y.P.
00030:  20 79 B5 F8 00 00 00 00 01 9E FF 53 4D 42 25 00    y.........SMB%.
00040:  00 00 00 18 03 00 00 00 00 00 00 00 00 00 00 00   ................

00090:                                            B8 CE               ..
000A0:  14 00 09 00 00 00 00 00 00 00 09 00 00 00 5C 00 ..............\.
000B0:  5C 00 52 00 45 00 47 00 45 00 4E 00 54 00 
                                                  00 00 \.R.E.G.E.N.T...
000C0:  C9 11 B4 3C 95 75 
                          07 00 00 00 00 00 00 00 07 00 ...<.u..........
000D0:  00 00 4B 00 4E 00 49 00 47 00 48 00 54 00 00 00 ..K.N.I.G.H.T...
000E0:  00 00 
              F8 F9 49 01 
                          89 97 14 C1 23 C6 7B BB 
                                                  26 B6 ....I.....#.{.&.
000F0:  D4 34 
              04 FA 49 01 
                          B9 6E F6 77 00 00 14 00 
                                                  00 00 .4..I..n.w......
00100:  00 00 
              02 00 
                    02 00 28 FD 49 01 
                                      0A 00 0A 00 B0 2E ......(.I.......
00110:  15 00 
              02 00 00 00 
                          D8 8B 00 00 00 00 00 00 
                                                  08 00 ................
00120:  08 00 BA 2E 15 00 
                          10 00 10 00 C2 2E 15 00 
                                                  FB DA ................
00130:  8B 7F 9B 0B C1 9E 
                          18 00 18 00 D2 2E 15 00 
                                                  18 00 ...............
00140:  18 00 EA 2E 15 00 
                          05 00 00 00 00 00 00 00 05 00 ................
00150:  00 00 54 00 45 00 53 00 54 00 33 00 45 00 
                                                  04 00 ..T.E.S.T.3.E...
00160:  00 00 00 00 00 00 04 00 00 00 6C 00 6B 00 63 00 ..........l.k.c.
00170:  6C 00 
              08 00 00 00 00 00 00 00 08 00 00 00 5C 00 l.............\.
00180:  5C 00 52 00 45 00 47 00 45 00 4E 00 54 00 
                                                  18 00 \.R.E.G.E.N.T...
00190:  00 00 00 00 00 00 18 00 00 00 42 4C FF D2 71 BB ..........BL..q.
001A0:  8F 24 4B 9F 86 8B A7 A3 DA D3 96 14 88 45 7E BB .$K..........E~.
001B0:  B5 28 
              18 00 00 00 00 00 00 00 18 00 00 00 5D F4 .(............].
001C0:  44 C6 A2 CC DE 7E 22 5F C2 F6 B4 C6 3B 2D C1 CF D....~"_....;-..
001D0:  B0 29 F5 D4 92 2E 
                          03 00                         .)......

More information about the samba mailing list