diff options
author | Luke Leighton <lkcl@samba.org> | 2000-01-05 11:28:19 +0000 |
---|---|---|
committer | Luke Leighton <lkcl@samba.org> | 2000-01-05 11:28:19 +0000 |
commit | 9ce1725e3db26d8a537a9ce855d4d4075bd5ef46 (patch) | |
tree | 3dc11e6db70797b0e393f1d7729fe8b0e20ab673 /source/rpc_parse/parse_net.c | |
parent | 7b014a0a4863cd86edb964cbefed1a107201ccc9 (diff) | |
download | samba-9ce1725e3db26d8a537a9ce855d4d4075bd5ef46.tar.gz samba-9ce1725e3db26d8a537a9ce855d4d4075bd5ef46.tar.xz samba-9ce1725e3db26d8a537a9ce855d4d4075bd5ef46.zip |
finally got somewhere with encrypted msrpc. i had to do some hacking about
of the network logon NetrSamLogon, would you believe it! i finally
understand why microsoft return 8 bytes of the user's password in
NetrSamLogon (network logon), it's so that you can generate NTLMSSP
state.
NT4sp2 and below used to send 8 bytes of LM# in-the-clear, which was SO
stupid that paul ashton and i had to tell them about it, and they now
use some obfuscation based on the negotiated-NETLOGON-session-key.
i can't remember exactly what this obfuscation was, so i just guessed,
for now, and i'll test against an NT PDC, later, when i have one.
security-implications are that if you know a workstation's trust account
password (default to lower-case), you can watch network traffic and _still_
obtain first 8 bytes of user's LM# (generated from 1st 7 bytes uppercase
of user's cleartext password) from *network* NetrSamLogons.
no wonder microsoft want to replace this stuff with Kerberos 5.
Diffstat (limited to 'source/rpc_parse/parse_net.c')
-rw-r--r-- | source/rpc_parse/parse_net.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/source/rpc_parse/parse_net.c b/source/rpc_parse/parse_net.c index a087e0a9d10..6cbcb5f8277 100644 --- a/source/rpc_parse/parse_net.c +++ b/source/rpc_parse/parse_net.c @@ -1094,6 +1094,8 @@ BOOL make_net_user_info3(NET_USER_INFO_3 *usr, char *logon_srv, char *logon_dom, + char *padding, + DOM_SID *dom_sid, char *other_sids) { @@ -1152,6 +1154,10 @@ BOOL make_net_user_info3(NET_USER_INFO_3 *usr, usr->buffer_dom_id = dom_sid ? 1 : 0; /* yes, we're bothering to put a domain SID in */ bzero(usr->padding, sizeof(usr->padding)); + if (padding != NULL) + { + memcpy(usr->padding, padding, 8); + } num_other_sids = make_dom_sid2s(other_sids, usr->other_sids, LSA_MAX_SIDS); |