Bugtraq mailing list archives

Re[2]: iXsecurity.tool.smbproxy.1.0.0

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Mon, 3 Dec 2001 20:06:14 +0300

Hello Pavel,

I saw no original message on Bugtraq. But I'll try to comment.

--Saturday, December 01, 2001, 8:33:19 PM, you wrote to patrik.karlsson () ixsecurity com:

PK> On Tue, 6 Nov 2001 patrik.karlsson () ixsecurity com wrote:

Windows NT/2000 login:
1. A=>B: Requests a logon to the server.
2. B=>A: N
3. A=>B: E(N,H(P))


This  is  NTLMv1 logon scenario. It's only true on NT login (NT with SP4
and  Win9x  with  Directory  Services Client can be set up to use NTLMv2
instead  though).  Win2K  uses Kerberos for Domain logons and NTLM v2 to
logon to standalon server (or to untrusted domain) by default.


For NTLM v2 things are different:

1. A=>B:  Requests  a  logon  to  the server.
2. B=>A: N1
3. A=>B: N2, E(N(N1, N2, U), H(P))   (U - Username)
4. B=>A: E2(E(N(N1, N2, U), H(P)), N(N1, N2, U), H(H(P)))


The server can check S=D(N,E(N,H(P))) or E(N,S)=E(N,H(P)).
If Eve eavesdrops the login she can get S by D(N,E(N,H(P))).


It's  not true. It's N = D(N,E(N,H(P))), not S=D(N,E(N,H(P))). So server
will always check E(N,S)=E(N,H(P)).

PK> If this was true, it would be very bad news (or very good news for
PK> certain people). Fortunately (unfortunately), according to my
PK> understanding of the protocol, A's response in step 3 is N encrypted
PK> by DES using H(P) as a *key*, and S = H(P) cannot be computed
PK> given the result of encryption (E(N,H(P))...or E(H(P),N) using a
PK> more common order of arguments) and the nonce (N) easily.

Yes. For NTLMv1 E(N, H(P)) looks like:

des_encrypt(N, H, E);
des_encrypt(N, H + 7, E + 8);
des_encrypt(N, H + 14, E + 16);

N  -  points  to  challenge,  H  - to hash, E - to response. des_encrypt
extends  each  7 bits of second argument to octet by prefexing it with 0
bit  (it  makes  8  octets  with  values  <  128)  and does standard DES
encryption  of  the  8  octets  pointed  by  first  argument  with  this
calculated key. Repairing S from response is not trivial task.

-- 
~/ZARAZA
Бросьте стараться - ничего из этого не выйдет. (Твен)

Current thread:

Re: iXsecurity.tool.smbproxy.1.0.0 Pavel Kankovsky (Dec 03)
- Re[2]: iXsecurity.tool.smbproxy.1.0.0 3APA3A (Dec 04)
  - Re[3]: iXsecurity.tool.smbproxy.1.0.0 3APA3A (Dec 04)