samba - Apr 1999 - WANTED: Technical NT Security Info

NT uses proprietary encryption mechanisms to protect passwords and to
authenticate users.  There is no one source of information on these
schemes outside of Microsoft.

If anyone has any information on any of the following or any other topics
that they would like to see published as a White Paper, please contact
lkcl@iss.net. 

The paper will include as comprehensive a list of these mechanisms as
possible, and will include a review of their weaknesses and strengths.


Known, documented mechanisms
----------------------------

- LM 16 byte cleartext-equivalent password hashes.

- NT 16 byte cleartext-equivalent password hashes.

- SMB NTLM 8-byte random challenge / 24-byte LM and NT response.

- DCE/RPC NETLOGON pipe "Interactive" and "Netlogon"
credential chain
system.  Uses Trust Accounts (Workstation, Inter-Domain and Server).  NT
4.0 Service Pack 3 and below only.


Known, coded (but undocumented) mechanisms
------------------------------------------

- DCE/RPC encryption (sign and seal) NTLMSSP version 1, 40-bit only.

- DCE/RPC SAM database password updates (SamrSetInformationUser).

- DCE/RPC lsarpc secret info (LsaQuerySecretInfo).


Unknown, undocumented mechanisms
--------------------------------

- SMB NTLMv2 8-byte random challenge / NTLMv2 variable-length responses. 
added to NT 4.0 Service Pack 4 but not NT 5.0 beta 3 :-) 

- DCE/RPC encryption (sign and seal) NTLMSSP version 1, 128-bit and
"session key negotiation".

- DCE/RPC encryption (sign and seal) NTLMSSP version 2.  added to NT 4.0
Service Pack 4 and above.

- DCE/RPC NETLOGON "Secured Channel".  added to NT 4.0 Service Pack 4
and
above. 

- DCE/RPC PDC <-> BDC SAM database replication.



<a href="mailto:lkcl@samba.org"   > Luke Kenneth Casson Leighton
</a>
<a href="http://www.cb1.com/~lkcl"> Samba and Network
Development </a>
<a href="http://samba.org"        > Samba Web site              
</a>

====================================================================Luke Kenneth
Casson Leighton        |  Direct Dial   : (678) 443-6183
Systems Engineer / ISS XForce Team  |  ISS Front Desk: (678) 443-6000
Internet Security Systems, Inc.     |  ISS Fax       : (678) 443-6477

http://www.iss.net/    *Adaptive Network Security for the Enterprise*
     ISS Connect   -   International User Conference   -  May '99
=====================================================================