NTLM

[Alan DeKok]

Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> Ok, different libntlm then. Have you got the URL handy?

http://josefsson.org/libntlm/

> I don't know what you mean by this. Samba can act as both a client and 
> (member) server for win2k/win2k3 authentication methods (GSS-SPNEGO 
> primarily) using machine account credentials acquired using that domains 
> native protocols (kerberos+LDAP).

  You keep saying "machine authentication".  I'm talking about
authenticating users.

  I did this using Samba & smbclient.  There were 4 packets.  Most of
the packet content was NTLM stuff.  There was no extra RPC nonsense,
like is done with a normal XP login to a DC.

> The point I am (badly) trying to communicate is that, with a microsoft 
> domain controller (NT4, win2k, win2k3), to execute the RPC call required 
> to validate an MS-CHAPv2 request and return the NT key you MUST have a 
> machine account in the domain

  For user authentication?  I don't think so.

> It's 4 packets for me too, but TCP segments on an already-open MSRPC 
> pipe to a domain controller.

  Uh, no.  Try using smbclient to grab a list of shares from a domain
controller.  It's 4 packets to authenticate the user, start to finish.
The rest of the traffic is the "get list of shares" stuff.  And those
packets happen after the authentication.

>  The SMB packets are SMB-signed/sealed, the 
> contents are a Netlogon SCHANNEL RPC which is itself further signed and 
> sealed, and the variety and number of versions of a call and versions of 
> structures passed as arguments are truly, truly bewildering.

  Yes.  I've spent time looking at those RPC's, they're truly horrid.

  But... I can't argue with success.  smbclient does NTLM
authentication in 4 packets.  Why can't we?

  I understand the whole complexity and RPC nonsense, but forgive me
if I'm stuck on a working example.

  Try it.  Start tcpdump listening on packets from your machine to a
domain controller.  Verify that there are no packets going to the DC.
Run smbclient to get the list of shares.  Look at how many packets go
back and forth.  Then, tell me it's a huge amount of work to replicate
that traffic, because there are endless other RPC's that have to be
done.

  I just don't believe it.  And I don't understand why you think it's
so complicated to reproduce that traffic.  I *think* you're talking
about reproducing an entirely different kind of traffic, with a lot
more packets.

  I've spent time looking at the Windows AD RPC's.  In order to do a
full XP-style login, there are nearly billions of packets you have to
send back and forth.  There are CLDAP packets, RPC packets, and
multiple kinds of crap inside of the RPC's.  But smbclient doesn't do
any of that.  And it's very successful doing NTLM against a domain
controller, where that domain controller refuses to allow rlm_smb to
work.

  The point here is that smbclient is *not* doing a full XP-style
login.  That would be truly a large amount of work.  Instead,
smbclient is doing something much simpler.

  Again, try it.  Then, explain why we need to do more to get the same
result of authenticating the user.

  Alan DeKok.