[23388] in bugtraq
Re[2]: iXsecurity.tool.smbproxy.1.0.0
daemon@ATHENA.MIT.EDU (3APA3A)
Tue Dec 4 13:32:07 2001
Date: Mon, 3 Dec 2001 20:06:14 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Message-ID: <109779212508.20011203200614@SECURITY.NNOV.RU>
To: "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz>
Cc: patrik.karlsson@ixsecurity.com, bugtraq@securityfocus.com
In-Reply-To: <20011201180154.27F.0@bobanek.nowhere.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit
Hello Pavel,
I saw no original message on Bugtraq. But I'll try to comment.
--Saturday, December 01, 2001, 8:33:19 PM, you wrote to patrik.karlsson@ixsecurity.com:
PK> On Tue, 6 Nov 2001 patrik.karlsson@ixsecurity.com wrote:
>> Windows NT/2000 login:
>> 1. A=>B: Requests a logon to the server.
>> 2. B=>A: N
>> 3. A=>B: E(N,H(P))
This is NTLMv1 logon scenario. It's only true on NT login (NT with SP4
and Win9x with Directory Services Client can be set up to use NTLMv2
instead though). Win2K uses Kerberos for Domain logons and NTLM v2 to
logon to standalon server (or to untrusted domain) by default.
For NTLM v2 things are different:
1. A=>B: Requests a logon to the server.
2. B=>A: N1
3. A=>B: N2, E(N(N1, N2, U), H(P)) (U - Username)
4. B=>A: E2(E(N(N1, N2, U), H(P)), N(N1, N2, U), H(H(P)))
>>
>> The server can check S=D(N,E(N,H(P))) or E(N,S)=E(N,H(P)).
>> If Eve eavesdrops the login she can get S by D(N,E(N,H(P))).
It's not true. It's N = D(N,E(N,H(P))), not S=D(N,E(N,H(P))). So server
will always check E(N,S)=E(N,H(P)).
PK> If this was true, it would be very bad news (or very good news for
PK> certain people). Fortunately (unfortunately), according to my
PK> understanding of the protocol, A's response in step 3 is N encrypted
PK> by DES using H(P) as a *key*, and S = H(P) cannot be computed
PK> given the result of encryption (E(N,H(P))...or E(H(P),N) using a
PK> more common order of arguments) and the nonce (N) easily.
Yes. For NTLMv1 E(N, H(P)) looks like:
des_encrypt(N, H, E);
des_encrypt(N, H + 7, E + 8);
des_encrypt(N, H + 14, E + 16);
N - points to challenge, H - to hash, E - to response. des_encrypt
extends each 7 bits of second argument to octet by prefexing it with 0
bit (it makes 8 octets with values < 128) and does standard DES
encryption of the 8 octets pointed by first argument with this
calculated key. Repairing S from response is not trivial task.
--
~/ZARAZA
Бросьте стараться - ничего из этого не выйдет. (Твен)
