Luke Kenneth Casson Leighton
1998-Feb-01 20:46 UTC
NTDOM: SamLogon validation of one workstation to another via a PDC.
a piece of the puzzle of NT Domains is attached, which needs solving. this packet is activated when a user of one NT workstation accesses a second NT workstation, the second NT workstation being a member of a domain. it is therefore a critically important part of the NT 3.5 / 4.0 Domain protocol, as it allows a user on one workstation to access files on another workstation, securely. the 8 byte challenge (LmChallenge) and 24 byte lm and nt responses (LmChallengeResponse and NtChallengeResponse) of the SMBnegprot and SMBsessionsetupX between the first and second NT workstations are sent to the PDC, in the DCE/RPC packet shown below. presumably the challenge / responses are two-way obfuscated. the PDC decrypts the challenge and responses (presumably) and then does a standard SMB password validate, as if it had issued the SMBnegprot response, and received the SMBsessionsetupX query itself. does anyone know what obfuscation / encryption is used to encode the challenge and responses in the packet below? luke (samba team) <a href="mailto:lkcl@samba.anu.edu.au" > Luke Kenneth Casson Leighton </a> <a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a> Network Monitor trace Sun 02/01/98 17:54:51 \\regent\root\info\sam_challenge.txt ************************************************************************************************************************************************************ Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr 32 8.914 KNIGHT REGENT R_LOGON RPC Client call logon:NetrLogonSamLogon(..) KNIGHT REGENT IP + FRAME: Base frame properties + ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol + IP: ID = 0x9205; Proto = TCP; Len: 458 + TCP: .AP..., len: 418, seq: 1442186-1442603, ack:2491898253, win: 8313, src: 1032 dst: 139 (NBT Session) + NBT: SS: Session Message, Len: 414 + SMB: C transact TransactNmPipe, FID = 0x801 + MSRPC: c/o RPC Request: call 0x6 opnum 0x2 context 0x0 hint 0x13A R_LOGON: RPC Client call logon:NetrLogonSamLogon(..) R_LOGON: LOGONSRV_HANDLE LogonServer = \\REGENT R_LOGON: wchar_t ComputerName = KNIGHT R_LOGON: PNETLOGON_AUTHENTICATOR Authenticator {..} R_LOGON: NETLOGON_CREDENTIAL Credential {..} R_LOGON: CHAR data [..] = 89 97 14 C1 23 C6 7B BB R_LOGON: DWORD timestamp = 886355494 (0x34D4B626) R_LOGON: PNETLOGON_AUTHENTICATOR ReturnAuthenticator {..} R_LOGON: NETLOGON_CREDENTIAL Credential {..} R_LOGON: CHAR data [..] = B9 6E F6 77 00 00 14 00 R_LOGON: DWORD timestamp = 0 (0x0) R_LOGON: NETLOGON_LOGON_INFO_CLASS LogonLevel = 2 (0x2) R_LOGON: PNETLOGON_LEVEL LogonInformation {..} R_LOGON: Switch Value = 2 (0x2) R_LOGON: PNETLOGON_NETWORK_INFO LogonNetwork {..} R_LOGON: NETLOGON_LOGON_IDENTITY_INFO Identity {..} R_LOGON: UNICODE_STRING LogonDomainName {..} R_LOGON: USHORT Length = 10 (0xA) R_LOGON: USHORT MaximumLength = 10 (0xA) R_LOGON: USHORT * Buffer = 1388208 (0x152EB0) R_LOGON: ULONG ParameterControl = 2 (0x2) R_LOGON: OLD_LARGE_INTEGER LogonId {..} R_LOGON: ULONG LowPart = 35800 (0x8BD8) R_LOGON: LONG HighPart = 0 (0x0) R_LOGON: UNICODE_STRING UserName {..} R_LOGON: USHORT Length = 8 (0x8) R_LOGON: USHORT MaximumLength = 8 (0x8) R_LOGON: USHORT * Buffer = 1388218 (0x152EBA) R_LOGON: UNICODE_STRING Workstation {..} R_LOGON: USHORT Length = 16 (0x10) R_LOGON: USHORT MaximumLength = 16 (0x10) R_LOGON: USHORT * Buffer = 1388226 (0x152EC2) R_LOGON: LM_CHALLENGE LmChallenge {..} R_LOGON: CHAR data [..] = FB DA 8B 7F 9B 0B C1 9E R_LOGON: STRING NtChallengeResponse {..} R_LOGON: USHORT Length = 24 (0x18) R_LOGON: USHORT MaximumLength = 24 (0x18) R_LOGON: PCHAR Buffer = 1388242 (0x152ED2) R_LOGON: STRING LmChallengeResponse {..} R_LOGON: USHORT Length = 24 (0x18) R_LOGON: USHORT MaximumLength = 24 (0x18) R_LOGON: PCHAR Buffer = 1388266 (0x152EEA) R_LOGON: USHORT * Buffer [..] = 0054 0045 0053 0054 0033 R_LOGON: USHORT * Buffer [..] = 006C 006B 0063 006C R_LOGON: USHORT * Buffer [..] = 005C 005C 0052 0045 0047 0045 004E 0054 R_LOGON: PCHAR Buffer [..] = 42 4C FF D2 71 BB 8F 24 4B 9F 86 8B A7 A3 DA D3 96 14 88 45 7E BB B5 28 R_LOGON: PCHAR Buffer [..] = 5D F4 44 C6 A2 CC DE 7E 22 5F C2 F6 B4 C6 3B 2D C1 CF B0 29 F5 D4 92 2E R_LOGON: NETLOGON_VALIDATION_INFO_CLASS ValidationLevel = 3 (0x3) 00000: 00 C0 5C 03 12 1E 00 80 C8 81 8F 9D 08 00 45 00 ..\...........E. 00010: 01 CA 92 05 40 00 80 06 B1 B7 C2 9F 18 18 C2 9F ....@........... 00020: 18 1A 04 08 00 8B 00 16 01 8A 94 87 59 8D 50 18 ............Y.P. 00030: 20 79 B5 F8 00 00 00 00 01 9E FF 53 4D 42 25 00 y.........SMB%. 00040: 00 00 00 18 03 00 00 00 00 00 00 00 00 00 00 00 ................ 00090: B8 CE .. 000A0: 14 00 09 00 00 00 00 00 00 00 09 00 00 00 5C 00 ..............\. 000B0: 5C 00 52 00 45 00 47 00 45 00 4E 00 54 00 00 00 \.R.E.G.E.N.T... 000C0: C9 11 B4 3C 95 75 07 00 00 00 00 00 00 00 07 00 ...<.u.......... 000D0: 00 00 4B 00 4E 00 49 00 47 00 48 00 54 00 00 00 ..K.N.I.G.H.T... 000E0: 00 00 F8 F9 49 01 89 97 14 C1 23 C6 7B BB 26 B6 ....I.....#.{.&. 000F0: D4 34 04 FA 49 01 B9 6E F6 77 00 00 14 00 00 00 .4..I..n.w...... 00100: 00 00 02 00 02 00 28 FD 49 01 0A 00 0A 00 B0 2E ......(.I....... 00110: 15 00 02 00 00 00 D8 8B 00 00 00 00 00 00 08 00 ................ 00120: 08 00 BA 2E 15 00 10 00 10 00 C2 2E 15 00 FB DA ................ 00130: 8B 7F 9B 0B C1 9E 18 00 18 00 D2 2E 15 00 18 00 ............... 00140: 18 00 EA 2E 15 00 05 00 00 00 00 00 00 00 05 00 ................ 00150: 00 00 54 00 45 00 53 00 54 00 33 00 45 00 04 00 ..T.E.S.T.3.E... 00160: 00 00 00 00 00 00 04 00 00 00 6C 00 6B 00 63 00 ..........l.k.c. 00170: 6C 00 08 00 00 00 00 00 00 00 08 00 00 00 5C 00 l.............\. 00180: 5C 00 52 00 45 00 47 00 45 00 4E 00 54 00 18 00 \.R.E.G.E.N.T... 00190: 00 00 00 00 00 00 18 00 00 00 42 4C FF D2 71 BB ..........BL..q. 001A0: 8F 24 4B 9F 86 8B A7 A3 DA D3 96 14 88 45 7E BB .$K..........E~. 001B0: B5 28 18 00 00 00 00 00 00 00 18 00 00 00 5D F4 .(............]. 001C0: 44 C6 A2 CC DE 7E 22 5F C2 F6 B4 C6 3B 2D C1 CF D....~"_....;-.. 001D0: B0 29 F5 D4 92 2E 03 00 .)......