NTLM

Laker Netman laker_netman at yahoo.com
Thu Feb 23 15:49:47 CET 2006 

--- Alan DeKok <aland at ox.org> wrote:

> Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> > Ok, different libntlm then. Have you got the URL
> handy?
> 
> http://josefsson.org/libntlm/
> 
> > I don't know what you mean by this. Samba can act
> as both a client and 
> > (member) server for win2k/win2k3 authentication
> methods (GSS-SPNEGO 
> > primarily) using machine account credentials
> acquired using that domains 
> > native protocols (kerberos+LDAP).
> 
>   You keep saying "machine authentication".  I'm
> talking about
> authenticating users.
> 
>   I did this using Samba & smbclient.  There were 4
> packets.  Most of
> the packet content was NTLM stuff.  There was no
> extra RPC nonsense,
> like is done with a normal XP login to a DC.
> 
> > The point I am (badly) trying to communicate is
> that, with a microsoft 
> > domain controller (NT4, win2k, win2k3), to execute
> the RPC call required 
> > to validate an MS-CHAPv2 request and return the NT
> key you MUST have a 
> > machine account in the domain
> 
>   For user authentication?  I don't think so.
> 
> > It's 4 packets for me too, but TCP segments on an
> already-open MSRPC 
> > pipe to a domain controller.
> 
>   Uh, no.  Try using smbclient to grab a list of
> shares from a domain
> controller.  It's 4 packets to authenticate the
> user, start to finish.
> The rest of the traffic is the "get list of shares"
> stuff.  And those
> packets happen after the authentication.
> 
> >  The SMB packets are SMB-signed/sealed, the 
> > contents are a Netlogon SCHANNEL RPC which is
> itself further signed and 
> > sealed, and the variety and number of versions of
> a call and versions of 
> > structures passed as arguments are truly, truly
> bewildering.
> 
>   Yes.  I've spent time looking at those RPC's,
> they're truly horrid.
> 
>   But... I can't argue with success.  smbclient does
> NTLM
> authentication in 4 packets.  Why can't we?
> 
>   I understand the whole complexity and RPC
> nonsense, but forgive me
> if I'm stuck on a working example.
> 
>   Try it.  Start tcpdump listening on packets from
> your machine to a
> domain controller.  Verify that there are no packets
> going to the DC.
> Run smbclient to get the list of shares.  Look at
> how many packets go
> back and forth.  Then, tell me it's a huge amount of
> work to replicate
> that traffic, because there are endless other RPC's
> that have to be
> done.
> 
>   I just don't believe it.  And I don't understand
> why you think it's
> so complicated to reproduce that traffic.  I *think*
> you're talking
> about reproducing an entirely different kind of
> traffic, with a lot
> more packets.
> 
>   I've spent time looking at the Windows AD RPC's. 
> In order to do a
> full XP-style login, there are nearly billions of
> packets you have to
> send back and forth.  There are CLDAP packets, RPC
> packets, and
> multiple kinds of crap inside of the RPC's.  But
> smbclient doesn't do
> any of that.  And it's very successful doing NTLM
> against a domain
> controller, where that domain controller refuses to
> allow rlm_smb to
> work.
> 
>   The point here is that smbclient is *not* doing a
> full XP-style
> login.  That would be truly a large amount of work. 
> Instead,
> smbclient is doing something much simpler.
> 
>   Again, try it.  Then, explain why we need to do
> more to get the same
> result of authenticating the user.
> 
>   Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 

NTLM is sufficient to gain access to resources on
Windows domain, "machine account" or no, in ANY
windows domain flavor.
To wit: I access shares and printers on work systems
from home, via vpn, by mapping a drive and specifying
a different username/password than my home system
login in the process.
To let our work DC (mixed-mode W2K3 AD) know who I am
(from its perspecitve) I qualify my credentials with
my work domain.
Thus,
user: WORKDOMAIN\username
password: <domain_password>

My home PCs are not "work" domain members.  In fact, I
run my own "home" domain.  So these home systems
actually have different native security (machine
account) credentials than my work PC.

A machine account is required (and only available to
NT-branch OSes, i.e., not 95, 98, ME) to allow the
domain controller to administer the security of the
"workstation".
Things like group policy, (workstation-level) registry
and share management, etc necessitate a machine
account.

Laker


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Freeradius-Users mailing list