From - Fri Sep 12 14:29:15 1997 Path: news.mitre.org!blanket.mitre.org!nntprelay.mathworks.com!europa.clark.net!158.152.1.94!dispatch.news.demon.net!demon!argo.demon.co.uk!not-for-mail From: Paul Ashton Newsgroups: sci.crypt,comp.protocols.smb,comp.os.ms-windows.nt.admin.security Subject: Re: NT domain member to domain controller authentication protocol Date: Sat, 30 Aug 1997 14:13:04 +0100 Organization: Argo Systems Message-ID: <34081C60.599E@argo.demon.co.uk> References: <3405E963.77BE@argo.demon.co.uk> <5u4u88$43d@joseph.cs.berkeley.edu> NNTP-Posting-Host: argo.demon.co.uk X-NNTP-Posting-Host: argo.demon.co.uk [158.152.32.217] X-Mailer: Mozilla 3.01 (WinNT; I) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 36 Xref: news.mitre.org sci.crypt:70066 comp.protocols.smb:15774 comp.os.ms-windows.nt.admin.security:5162 David Wagner wrote: > I'd like to point out a minor security weakness -- an active attack on > the protocol which lets someone who has hijacked the connection pretend > to be the server, and thus obtain the client's authentication credentials > (i.e. ntowf(P), lmowf(P)). The attacker must have recovered one old > session key. Recovering a session key is just about as hard as recovering the machine password, I would say. I would suggest that the major weaknesses are in the protection of the returned userdata which doesn't appear to be part of the authentication protection system, and the usage of rc4 using the constant session key without any use of nonces. I.e.:- C->S rc4(Ks[0..7,16],lmowf(randompassword()) ... C->S NetLogonSamLogon,Rc',Tc,U, rc4(Ks[0..7,16],16,ntowf(P),16), rc4(Ks[0..7,16],16,lmowf(P),16) All future logons within the same session will encrypt a OWF with the same RC4 key, so there is plenty of scope for substituting one encryption with another and for substituting already encrypted data with plaintext (p == RC4(k,RC4(k,p)). Therefore, if I sniff a logon session by the user FRED, I can go to the same workstation after he logs out and login as FRED with any password and substitute the RC4(Ks,OWFs) with the previous ones. This is made easy in an NT network which often uses DHCP which allows any unauthenticated system to give out IP addresses and the default gateway to a client that asks. Paul