finally got somewhere with encrypted msrpc. i had to do some hacking about

of the network logon NetrSamLogon, would you believe it!   i finally
understand why microsoft return 8 bytes of the user's password in
NetrSamLogon (network logon), it's so that you can generate NTLMSSP
state.

NT4sp2 and below used to send 8 bytes of LM# in-the-clear, which was SO
stupid that paul ashton and i had to tell them about it, and they now
use some obfuscation based on the negotiated-NETLOGON-session-key.

i can't remember exactly what this obfuscation was, so i just guessed,
for now, and i'll test against an NT PDC, later, when i have one.

security-implications are that if you know a workstation's trust account
password (default to lower-case), you can watch network traffic and _still_
obtain first 8 bytes of user's LM# (generated from 1st 7 bytes uppercase
of user's cleartext password) from *network* NetrSamLogons.

no wonder microsoft want to replace this stuff with Kerberos 5.

1 files changed, 6 insertions, 0 deletions

diff --git a/source/rpc_parse/parse_net.c b/source/rpc_parse/parse_net.c
index a087e0a9d10..6cbcb5f8277 100644
--- a/source/rpc_parse/parse_net.c
+++ b/source/rpc_parse/parse_net.c
@@ -1094,6 +1094,8 @@ BOOL make_net_user_info3(NET_USER_INFO_3 *usr,
 	char *logon_srv,
 	char *logon_dom,
 
+	char *padding,
+
 	DOM_SID *dom_sid,
 	char *other_sids)
 {
@@ -1152,6 +1154,10 @@ BOOL make_net_user_info3(NET_USER_INFO_3 *usr,
 	usr->buffer_dom_id = dom_sid ? 1 : 0; /* yes, we're bothering to put a domain SID in */
 
 	bzero(usr->padding, sizeof(usr->padding));
+	if (padding != NULL)
+	{	
+		memcpy(usr->padding, padding, 8);
+	}
 
 	num_other_sids = make_dom_sid2s(other_sids, usr->other_sids, LSA_MAX_SIDS);