Ntlm authentication mechanism learning notes

Author: awen
Posted on: 2003-1-16

Experiment on several special phenomena
Assume a special case:
Client a and server B are both windows nt and 2000 system a, which is 111.111.111.111
B is 222.222.222.222. The account currently logged on to the client is admin and the password is awenpatching.
The server has the same account, that is, the account is admin and the password is awenpatching.
The server is not required to log on with account B.

First case: Sharing
When you access windows's default share, the following occurs:
A accesses c $ of B. When you press \ 222.222.222.222c $, you can access c $ of B without entering the password.

Case 2: telnet
Telnet 222.222.222.222
The message is as follows:
Bytes --------------------------------------------------------------------------------------
Microsoft (R) Windows 2000 (TM) Version 5.00 (internal version 2195)
Welcome to Microsoft Telnet Client
Telnet Client internal version 5.00.99206.1
The Escape Character is 'ctrl +]'
You want to send the password to a remote computer in the Internet area. This may be insecure. Whether to send it again (y/n ):
Bytes --------------------------------------------------------------------------------------
Enter y
Then I found that a has telnet to B.

Case 3: MS SQL server
Generally, you are remotely connected by using SQL server Authentication. In this case, when you choose windows authentication, you will find that you can connect. Open your query analyzer and verify it.

2. Principle Analysis
The above seems to have bypassed the authentication process, but this is not actually the case. First look at the windows ntlm authentication mechanism. Take sharing as an example. The specific method is as follows:
1. The client <-------------------- establishes a TCP connection ---------------> Server
2. Client ------- list of client types and supported service methods ---------> Server
3. client <------ the server supports protocols, authentication methods, encrypted keys, etc. ----- Server
4. Client ------------ user name, encrypted password -----------------> Server
5. client <--------------- whether the authentication is successful --------------------- Server
Briefly explain the verification process of the above ntlm mechanism:
Microsoft adopts the NTLM mechanism: for example, when a client accesses a Domain Server in an NT domain, the server first sends a random value to the client, the client uses the hash function with its own password to mix the random value and return it to the server, the server reads the user's password hash function from the local SAM Database to mix the random values it sends, and finally compares the two results. If the two results are the same, they are authenticated.

This is a general process. In fact, the above three examples all implement the same process. However, due to a defect in the identity authentication mechanism, the above three special situations have emerged. WIN9X, WINNT, and WIN2000 have a flaw in this process. The current user name and password are encrypted after the prompt is received. That is, in step 4 above, the encrypted user name and password of the client are sent.

The process is as follows:
A establishes a tcp connection with B, and then a sends the list of client types and supported service methods to B, B then sends the server support protocol, authentication method, and encrypted key to a, and a automatically sends the current user name and password to. Compared with B's SAM Database (after a series of processed values), the two are the same. Authentication successful.

3. Detailed analysis of SQL connections
The network protocol analysis tool iris is set to intercept all groups between two computers. We found that all connections to the server are achieved through communication with port 1433. In practice, we found that there were 137udp port groups. However, after filtering 137 through ipsec, we found that the Group can also be connected. Note: 137udp is used to provide the netbios Name Service.
A total of 81 groups are obtained. Only
========================================================== ==================================
Client ------- client type, list of supported service methods, etc. ---------> Server
========================================================== ==================================
No: 6
Timestamp: 16: 22:29: 984
MAC source address: 00: 50: BF: 2A: 40: 64
MAC dest address: 00: 09: 7B: 51: BB: FC
Frame type: IP
Protocol: TCP-> 1042
Source IP address: awen
Dest IP address: FLDserver
Source port: 1042
Destination port: 1433
Sequence: 3106511279
ACK: 2759799333
Packet size: 241
Packet data:
0000: 00 09 7B 51 bb fc 00 50 BF 2A 40 64 08 00 45 00... {Q... P. * @ d. E.
0010: 00 E3 07 28 40 00 80 06 39 dc ac 11 01 BC D3 41 ...... (@... 9 ......
0020: 38 02 04 12 05 99 B9 29 99 AF A4 7F 32 25 50 18 8 ......) ...... 2% P.
0030: fa cb 47 2D 00 00 10 01 00 BB 00 00 01 00 B3 00 ...... G -............
0040: 00 00 01 00 00 71 00 00 00 00 00 07 C8 04 ...... q ..........
0050: 00 00 00 00 00 E0 83 00 00 20 fe ff 04 08 ...............
0060: 00 00 56 00 00 00 00 00 00 00 00 00 56 00 ...... V.
0070: 09 00 68 00 0B 00 00 00 00 7E 00 04 00 86 00 ...... h .............
0080: 00 00 86 00 00 00 00 50 BF 2A 40 64 86 00 2D 00 ...... P. * @ d ..-.
0090: B3 00 00 00 53 00 51 00 4C 00 20 00 E5 67 E2 8B ...... S.Q.L ..
00A0: 06 52 90 67 68 56 32 00 31 00 31 00 2E 00 36 00. R. ghV2.0.2. .. 5.
00B0: 35 00 2E 00 35 00 36 00 2E 00 32 00 4F 00 44 00 8... 5... 6... 2. O. D.
00C0: 42 00 43 00 4E 54 4C 4D 53 50 00 01 00 00 B. C. NTLMSSP .....
00D0: 07 B2 00 A0 09 00 09 00 24 00 00 00 04 00 04 00 ...... $ .......
00E0: 20 00 00 00 41 57 45 4E 57 4F 52 4B 47 52 4F 55... AWENWORKGROU
00F0: 50 P

========================================================== ================================
Client <------ the server supports protocols, authentication methods, encrypted keys, and so on ----- Server
========================================================== ================================
No: 7
Timestamp: 16: 22:29: 984
MAC source address: 00: 09: 7B: 51: BB: FC
MAC dest address: 00: 50: BF: 2A: 40: 64
Frame type: IP
Protocol: TCP-> 1042
Source IP address: FLDserver
Dest IP address: awen
Source port: 1433
Destination port: 1042
Sequence: 2759799333
ACK: 3106511466
Packet size: 223
Packet data:
0000: 00 50 BF 2A 40 64 00 09 7B 51 bb fc 08 00 45 00. P. * @ d... {Q... E.
0010: 00 D1 DE 1A 40 00 7E 06 64 FB D3 41 38 02 AC 11 ...... @... d...
0020: 01 BC 05 99 04 12 A4 7F 32 25 B9 29 9A 6A 50 18 ...... 2%). jP.
0030: FA 01 C3 DC 00 00 04 00 A9 00 00 01 00 ED 9E ................
0040: 00 4E 54 4C 4D 53 50 00 02 00 00 00 12 00 12. NTLMSSP ........
0050: 00 30 00 00 00 05 82 A0 F2 D4 05 C1 C0 BC 45. 0 ...... E
0060: 95 00 00 00 00 00 00 00 5C 00 42 00 00 ...... B ..
0070: 00 46 00 4C 00 44 00 53 00 45 00 52 00 56 00 45. F. L.D.S. E. R. V. E
0080: 00 52 00 02 00 12 00 46 00 4C 00 44 00 53 00 45. R... F. L.D.S. E
0090: 00 52 00 56 00 45 00 52 00 01 00 12 00 46 00 4C. R. V. E. R... F. L
00A0: 00 44 00 53 00 45 00 52 00 56 00 45 00 52 00 04. D. S. E. R. V. E. R ..
00B0: 00 12 00 66 00 6C 00 64 00 73 00 65 00 72 00 76... f. l. d. s. e. r. v
00C0: 00 65 00 72 00 03 00 12 00 66 00 6C 00 64 00 73. e. r... f. l. d. s
00D0: 00 65 00 72 00 76 00 65 00 72 00 00 00 00. e. r. v. e. r .....

========================================================== ==============================
Client -------------- user name, encrypted password ---------------> Server
The server name awen username is admin, followed by the encrypted Hash Value
========================================================== ==============================
No: 8
Timestamp: 16: 22:29: 994
MAC source address: 00: 50: BF: 2A: 40: 64
MAC dest address: 00: 09: 7B: 51: BB: FC
Frame type: IP
Protocol: TCP-> 1042
Source IP address: awen
Dest IP address: FLDserver
Source port: 1042
Destination port: 1433
Sequence: 3106511466
ACK: 2759799502
Packet size: 200
Packet data:
0000: 00 09 7B 51 bb fc 00 50 BF 2A 40 64 08 00 45 00... {Q... P. * @ d. E.
0010: 00 BA 07 2A 40 00 80 06 3A 03 AC 11 01 BC D3 41 ...... * @ ......
0020: 38 02 04 12 05 99 B9 29 9A 6A A4 7F 32 CE 50 18 8 ......). j... 2. P.
0030: FA 22 35 0C 00 00 11 01 00 00 00 01 00 4E 54. "5 ...... NT
0040: 4C 4D 53 50 00 03 00 00 00 18 00 5A 00 LMSSP ...... Z.
0050: 00 00 18 00 18 00 72 00 00 00 08 00 40 00 ...... r .......@.
0060: 00 00 0A 00 0A 00 48 00 00 00 08 00 52 00 ...... H ...... R.
0070: 00 00 00 00 00 8A 00 00 00 05 82 80 A0 41 00 .......
0080: 57 00 45 00 4E 00 61 00 64 00 6D 00 69 00 6E 00 W. E. N. a. d. m. I. n.
0090: 41 00 57 00 45 00 4E 00 A3 58 1F 51 AF 9B 97 23 A. W. E. N. X. Q ...#
00A0: 74 02 A0 3C 3D ED A7 02 31 CA C8 4F 1D F9 B1 78 t... =... 1... O... x
00B0: 4E AB A5 C0 D1 13 D7 29 82 B8 4C 06 B0 AD 7D 03 N ...}.
00C0: 1B 9E FF 2B 8B 4F 8A 64... +. O. d