Hello Pavel, I saw no original message on Bugtraq. But I'll try to comment. --Saturday, December 01, 2001, 8:33:19 PM, you wrote to patrik.karlsson@ixsecurity.com: PK> On Tue, 6 Nov 2001 patrik.karlsson@ixsecurity.com wrote: >> Windows NT/2000 login: >> 1. A=>B: Requests a logon to the server. >> 2. B=>A: N >> 3. A=>B: E(N,H(P)) This is NTLMv1 logon scenario. It's only true on NT login (NT with SP4 and Win9x with Directory Services Client can be set up to use NTLMv2 instead though). Win2K uses Kerberos for Domain logons and NTLM v2 to logon to standalon server (or to untrusted domain) by default. For NTLM v2 things are different: 1. A=>B: Requests a logon to the server. 2. B=>A: N1 3. A=>B: N2, E(N(N1, N2, U), H(P)) (U - Username) 4. B=>A: E2(E(N(N1, N2, U), H(P)), N(N1, N2, U), H(H(P))) >> >> The server can check S=D(N,E(N,H(P))) or E(N,S)=E(N,H(P)). >> If Eve eavesdrops the login she can get S by D(N,E(N,H(P))). It's not true. It's N = D(N,E(N,H(P))), not S=D(N,E(N,H(P))). So server will always check E(N,S)=E(N,H(P)). PK> If this was true, it would be very bad news (or very good news for PK> certain people). Fortunately (unfortunately), according to my PK> understanding of the protocol, A's response in step 3 is N encrypted PK> by DES using H(P) as a *key*, and S = H(P) cannot be computed PK> given the result of encryption (E(N,H(P))...or E(H(P),N) using a PK> more common order of arguments) and the nonce (N) easily. Yes. For NTLMv1 E(N, H(P)) looks like: des_encrypt(N, H, E); des_encrypt(N, H + 7, E + 8); des_encrypt(N, H + 14, E + 16); N - points to challenge, H - to hash, E - to response. des_encrypt extends each 7 bits of second argument to octet by prefexing it with 0 bit (it makes 8 octets with values < 128) and does standard DES encryption of the 8 octets pointed by first argument with this calculated key. Repairing S from response is not trivial task. -- ~/ZARAZA Бросьте стараться - ничего из этого не выйдет. (Твен)
