RE: NTLM

From: Robert Collins <robert.collins@dont-contact.us>
Date: Sun, 24 Feb 2002 14:22:53 +1100

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@marasystems.com]
> Sent: Sunday, February 24, 2002 12:37 PM
> To: Robert Collins; Squid Developers Mailinglist
> Subject: Re: NTLM
>
>
> On Sunday 24 February 2002 01:58, Robert Collins wrote:
>
> > We like confusion. Actually, I'm confused here. Line 287 of
> > NTLMSSP/auth_ntlm.c is decoded = base64_decode(buf + 3); Where do
> > you see uudecode calls?
>
> In the other two helpers (fakeauth and no_auth).

Oh. Heh, heh, heh. No comment :].
 
> I am writing another simple helper doing NTLM locally using smbpasswd
> files. Thus I felt the fakeauth helper was a better startingpoint..

Weeel, I suspect that fakeauth actually decodes the packets incorrectly. I'd suggest starting with NTLM or windbind to get the decode and protocol logic, and replace the auth calls with memcmps to your smbpasswd's.
 
> > No. The authenticating workstation uses the secure channel to pass
> > the triple (challenge,result,user) to a domain controller of it's
> > domain, which then passes the same to the correct domain if the
> > user is not in it's domain.
>
> So you are saying that a member server in a NT network can ask to
> verify (challenge,NT-response,user,domain) with their own choice of
> challenge because the DC knows the station by it's account?

Sortof. There are RPC calls that AFAIK require a secure channel to make them. One of them (My reference book isn't handy or I'd name it) is used by the winlogon process on windows NT to authenticate a user when they log in. That call uses the triple above, rather than a handshake. And yes, that does open the way for chosen plaintext attacks on the SAM :}.
 
> Makes me wonder why there is a negotiate packet in the first place
> however. It must have some function or else they would not put it
> there, would they?. But it does explain the need of all those
> computer and trust accounts and makes some sense from an
> architectural point of view.

The negotiate packet is used to determine what level of NTLM the client supports (LANMAN....NTLMV2/Kerberos etc). See the samba documentation on the NTLMSSP struct.
 
> Do you know where can I find more info about this secure channel
> authentication method? I have another related project where I need to
> implement MSCHAPv2 to NT domains, and I strongly suspect MS RAS
> servers is utilising functions in this secure channel to perform
> MSCHAPv2. MSCHAPv2 (and MS-CHAP) uses MD4(NT#) as authentication key.

The secure channel is an encrypted channel extant only between members and domain controllers. MS document it at a high level, with a couple of white/tech papers IIRC at MSDN.
SAMBA have a lot of doco (as you might expect :}) but I think it's mainly in source form.

Rob
Received on Sat Feb 23 2002 - 20:22:55 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:48 MST