Closed joncave closed 7 years ago
Thanks! I'll get this tested over the weekend.
Did you come up with a test setup for generating LMv2 against an Inveigh host or did you just use that box from your engagement?
The data above is from a small test environment. LMv2 responses generated using smbclient
on the Samba based DC at a Windows host. NTLMv1 from another Windows host with network security settings set to "Send LM & NTLM".
\o/
Nice fix, thanks again!
NTLMSSP message parsing may produce bad hashes for SMB traffic. Currently, the determination for NTLMv1 vs. NTLMv2 is based on whether or not the LM response data is all nulls. This causes problems if LMv2 response data is present.
For example the following messages:
produce this 'NTLMv1 hash':
NETNTLMv1 hashes should have LM and NT response data fields which are both 24 bytes long. So, the decision should be based on the length of the NT response data.
Sample data with the patch:
This doesn't appear to be a problem with the HTTP variant. Though I haven't tested this (which also means I haven't actually tested the changes which apply to the HTTP code!).