LDAP/MSCHAP

[Sven Hartge]

Sven Hartge <sven at svenhartge.de> wrote:
> Andreas Rudat <rudat at endstelle.de> wrote:
>> Am 11.11.2011 03:56, schrieb Fajar A. Nugraha:
>>> On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten <Ggatten at waddell.com> wrote:

>>>> I agree with Jake, in that I *think* it would be possible to have a
>>>> plugin or whatever interface with LDAP/AD in the same manner
>>>> ntlm_auth does.  I don't think one *needs* a cleartext password,
>>>> but does need some way to compare apples-to-apples.
>>> That's exactly what Alan is saying: " store your passwords in the
>>> LDAP as NT-Password or LM-Password "

>> But if that works, why then all are saying that you can just work
>> with plaintext? Its realy confusing.

> NT/LM-Password is "special". This is why it works with MSCHAPv2, both
> being a MicroSoft "invention".

To be precise: MSCHAPv2 works with the NT/LM-Password as input to the
Challenge-Handshake and not the "raw" cleartext password. This is why
this works.

FreeRADIUS converts a cleartext password into the needed NT-Hash and
then applies this to the MSCHAPv2 handshake. Or it uses a pre-existing
NT-Hash from LDAP/MySQL/whatever.

Quote from http://en.wikipedia.org/wiki/NTLM
,----
| The NTLM protocol uses one or both of two hashed password values, both
| of which are also stored on the server (or domain controller), and which
| are password equivalent, meaning that if you grab the hash value from
| the server, you can authenticate without knowing the actual password.
`----

This also means you have to protect those Hashes inside your database
like a raw cleartext password, as you can authenticate to any Windows
box with the knowledge of the NT/LM-Hash.

This has been exploitet by several Windows trojan horses, which grabbed
to NT-Hash from the Administrator user to login into other boxes on the
network using the same password (or worse: the domain controller).

Grüße,
S°

-- 
Sigmentation fault. Core dumped.