samba - Feb 2013 - NTLMv2 with win2003 AD question

Hi


Thanks in advance.
I know my question below is not really related with samba but I'm really
confused, and you guys are expert on windows authentication,
I really hope you have patience to read this and I'll appreciate any of your
help.


I learned a lot from this post
http://lists.samba.org/archive/jcifs/2008-October/008227.html.
I know that a "man in the middle" technique, like 'JCIFS NTLM HTTP
Authentication Filter', will not work when using NTLMv2 and the only
technique is using NetLogon. Am I right?
Besides, a 'TargetInfo' field is necessary to calculate NTLMv2 response.


However, I'm reading a proxy code these days and did some test on it.
It uses the MITM technique, that is so say, proxy returns the challenge of SMB
server(win2003 AD) to browser. just like what 'JCIFS NTLM HTTP
Authentication Filter' does.
Proxy uses 'SMB_COM_NEGOTIATE' and 'SMB_COM_SESSION_SETUP_ANDX'
command to communicate with windows AD.


The topology is like this:


browser-------------------proxy-------------------------win2003 AD


NTLMv1 works fine and make sense indeed.


But I find that NTLMv2 works when using win2k3 AD, unexpectedly. This
doesn't make sense.
using wireshark, I found that in 'Negoticate Flags', 'Negoticate
Targe Info' field is not set.
and NTLMv2 response is like this:


NTLMv2 Response: D99AF0F6AE2B97.....
    HMAC: D99AF0F6AE2B97...
    Header: 0x00000101
    Reserved: 0x00000000
    Time: Feb 3, 2013 15:26:32.562500000
    Unknown: 0x00000000
    Name: NetBIOS domain name
        Name type: NetBIOS domain name(2)
        Name Len: 0
        Name:
    Name: End of list




The target info field just has one item with empty value...


This is really confused me. 
Is it a bug of win2k3 AD and make use of the bug??


When I'm using win2k8 AD, NTLMv2 doesn't work. Win2k8 AD returns an
'Invalid Parameter' message in 'SMB_COM_SESSION_SETUP_ANDX'
response messge.


BTY, the OS is win2k3 R2 Enterprise SP2 and win2k8 R2 Enterprise SP1.




Thanks again.




Derek.

On Wed, 2013-02-06 at 12:20 +0800, ???? wrote:
> Hi
> 
> 
> Thanks in advance.
> I know my question below is not really related with samba but I'm
really confused, and you guys are expert on windows authentication,
> I really hope you have patience to read this and I'll appreciate any of
your help.
> 
> 
> I learned a lot from this post
http://lists.samba.org/archive/jcifs/2008-October/008227.html.
> I know that a "man in the middle" technique, like 'JCIFS NTLM
HTTP Authentication Filter', will not work when using NTLMv2 and the only
technique is using NetLogon. Am I right?
> Besides, a 'TargetInfo' field is necessary to calculate NTLMv2
response.
> 
> 
> However, I'm reading a proxy code these days and did some test on it.
> It uses the MITM technique, that is so say, proxy returns the challenge of
SMB server(win2003 AD) to browser. just like what 'JCIFS NTLM HTTP
Authentication Filter' does.
> Proxy uses 'SMB_COM_NEGOTIATE' and
'SMB_COM_SESSION_SETUP_ANDX' command to communicate with windows AD.
> 
> 
> The topology is like this:
> 
> 
> browser-------------------proxy-------------------------win2003 AD
> 
> 
> NTLMv1 works fine and make sense indeed.
> 
> 
> But I find that NTLMv2 works when using win2k3 AD, unexpectedly. This
doesn't make sense.
> using wireshark, I found that in 'Negoticate Flags',
'Negoticate Targe Info' field is not set.
> and NTLMv2 response is like this:
> 
> 
> NTLMv2 Response: D99AF0F6AE2B97.....
>     HMAC: D99AF0F6AE2B97...
>     Header: 0x00000101
>     Reserved: 0x00000000
>     Time: Feb 3, 2013 15:26:32.562500000
>     Unknown: 0x00000000
>     Name: NetBIOS domain name
>         Name type: NetBIOS domain name(2)
>         Name Len: 0
>         Name:
>     Name: End of list
> 
> 
> 
> 
> The target info field just has one item with empty value...
> 
> 
> This is really confused me. 
> Is it a bug of win2k3 AD and make use of the bug??
> 
> 
> When I'm using win2k8 AD, NTLMv2 doesn't work. Win2k8 AD returns an
'Invalid Parameter' message in 'SMB_COM_SESSION_SETUP_ANDX'
response messge.
> 
> 
> BTY, the OS is win2k3 R2 Enterprise SP2 and win2k8 R2 Enterprise SP1.
This looks like a reasonable analysis.  If the client does not check the
target information then the protections of NTLMv2 are indeed very
limited.  The same applies to the server. 

Samba currently matches Windows 2003 in this regard, and yes, with the
new information we have in the AD DC (servicePrincipalName values), we
should be able to enforce this properly.  I would love a patch to do
this in a way that matches windows behaviour, both for the client and
server. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org