[Samba] NTLMv2 with win2003 AD question
77009833 at qq.com
Tue Feb 5 21:20:35 MST 2013
Thanks in advance.
I know my question below is not really related with samba but I'm really confused, and you guys are expert on windows authentication,
I really hope you have patience to read this and I'll appreciate any of your help.
I learned a lot from this post http://lists.samba.org/archive/jcifs/2008-October/008227.html.
I know that a "man in the middle" technique, like 'JCIFS NTLM HTTP Authentication Filter', will not work when using NTLMv2 and the only technique is using NetLogon. Am I right?
Besides, a 'TargetInfo' field is necessary to calculate NTLMv2 response.
However, I'm reading a proxy code these days and did some test on it.
It uses the MITM technique, that is so say, proxy returns the challenge of SMB server(win2003 AD) to browser. just like what 'JCIFS NTLM HTTP Authentication Filter' does.
Proxy uses 'SMB_COM_NEGOTIATE' and 'SMB_COM_SESSION_SETUP_ANDX' command to communicate with windows AD.
The topology is like this:
NTLMv1 works fine and make sense indeed.
But I find that NTLMv2 works when using win2k3 AD, unexpectedly. This doesn't make sense.
using wireshark, I found that in 'Negoticate Flags', 'Negoticate Targe Info' field is not set.
and NTLMv2 response is like this:
NTLMv2 Response: D99AF0F6AE2B97.....
Time: Feb 3, 2013 15:26:32.562500000
Name: NetBIOS domain name
Name type: NetBIOS domain name(2)
Name Len: 0
Name: End of list
The target info field just has one item with empty value...
This is really confused me.
Is it a bug of win2k3 AD and make use of the bug??
When I'm using win2k8 AD, NTLMv2 doesn't work. Win2k8 AD returns an 'Invalid Parameter' message in 'SMB_COM_SESSION_SETUP_ANDX' response messge.
BTY, the OS is win2k3 R2 Enterprise SP2 and win2k8 R2 Enterprise SP1.
More information about the samba