[lm/ntlm/ntlmv2] - proxy http

Recherche :

Mot : Pseudo : Filtrer
Bas de page
Auteur	Sujet : [lm/ntlm/ntlmv2] - proxy http

Krapaud

Modérateur

Hello,

Dans un environnement AD j'ai le problème suivant :
- un client WinXP
- un AD 2000 mode mixte
- un proxy en coupure avec authentification sur l'AD

Le proxy est basé sur Apache et Samba pour l'authentification : la configuration est minimale dans les propriétés, les champs du fichier smb.conf sont volontairement restreints.

La GPO du domaine impose ceci : Send NTLMv2 response only\refuse LM
les ordinateurs et DC reçoivent tous cette même stratégie.

Pourtant, dans les captures faites j'ai ces informations :

1/ captures faites sur le PC client

frame 1

Hypertext Transfer Protocol
GET http://www.google.fr/ HTTP/1.0\r\n
Request Method: GET
Request URI: http://www.google.fr/
Request Version: HTTP/1.0
Accept: */*\r\n
Accept-Language: fr\r\n
Cookie: PREF=ID=4f2f24a992704cee:TM=1175527850:LM=1175527850:S=812IWxaYE95YFLBz\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
Host: www.google.frrn
Proxy-Connection: Keep-Alive\r\n
\r\n
Request: True

frame 2

Hypertext Transfer Protocol
HTTP/1.1 407 Proxy Authentication Required\r\n
Request Version: HTTP/1.1
Response Code: 407
Date: Mon, 02 Apr 2007 16:54:24 GMT\r\n
Proxy-Authenticate: NTLM\r\n
Proxy-Authenticate: Basic realm="Proxy-Access"\r\n
Content-Length: 355\r\n
Keep-Alive: timeout=15, max=100\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html; charset=iso-8859-1\r\n
\r\n
Response: True
Line-based text data: text/html
<HTML><HEAD>
<TITLE>407 Proxy Authentication Required</TITLE> </HEAD><BODY><H1>Proxy Authentication Required</H1>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad>

frame 3

frame 4

Hypertext Transfer Protocol
HTTP/1.1 407 Proxy Authentication Required\r\n
Request Version: HTTP/1.1
Response Code: 407
Date: Mon, 02 Apr 2007 16:54:24 GMT\r\n
Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAN7Mlkqo9X1YAAAAAAAAAAA==\r\n
NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
Domain: NULL
Flags: 0x00008201
0... .... .... .... .... .... .... .... = Negotiate 56: Not set
.0.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Not set
..0. .... .... .... .... .... .... .... = Negotiate 128: Not set
...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
.... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
.... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
.... ..0. .... .... .... .... .... .... = Negotiate 0x02000000: Not set
.... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
.... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set
.... .... .0.. .... .... .... .... .... = Negotiate 0x00400000: Not set
.... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
.... .... ...0 .... .... .... .... .... = Negotiate 0x00100000: Not set
.... .... .... 0... .... .... .... .... = Negotiate NTLM2 key: Not set
.... .... .... .0.. .... .... .... .... = Negotiate Challenge Non NT Session Key: Not set
.... .... .... ..0. .... .... .... .... = Negotiate Challenge Accept Response: Not set
.... .... .... ...0 .... .... .... .... = Negotiate Challenge Init Response: Not set
.... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
.... .... .... .... .0.. .... .... .... = Negotiate This is Local Call: Not set
.... .... .... .... ..0. .... .... .... = Negotiate Workstation Supplied: Not set
.... .... .... .... ...0 .... .... .... = Negotiate Domain Supplied: Not set
.... .... .... .... .... 0... .... .... = Negotiate 0x00000800: Not set
.... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set
.... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
.... .... .... .... .... ...0 .... .... = Negotiate Netware: Not set
.... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
.... .... .... .... .... .... .0.. .... = Negotiate Datagram Style: Not set
.... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set
.... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set
.... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
.... .... .... .... .... .... .... .0.. = Request Target: Not set
.... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set
.... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
NTLM Challenge: 37B32592AA3D5F56
Reserved: 0000000000000000
Content-Length: 355\r\n
Keep-Alive: timeout=15, max=99\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html; charset=iso-8859-1\r\n
\r\n
Response: True
Line-based text data: text/html
<HTML><HEAD>
<TITLE>407 Proxy Authentication Required</TITLE> </HEAD><BODY><H1>Proxy Authentication Required</H1>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad

frame 5

Hypertext Transfer Protocol
GET http://www.google.fr/ HTTP/1.0\r\n
Request Method: GET
Request URI: http://www.google.fr/
Request Version: HTTP/1.0
Accept: */*\r\n
Accept-Language: fr\r\n
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGAAAAA4ADgAeAAAAAoACgBIAAAABgAGAFIAAAAIAAgAWAAAAAAAAACwAAAABYIAAgUBKAoAAAAPRQBTAFMAQQBJAGMAbgBpAFQATwBUAE8Axit47ls5gTH9FOOEwdRpscm0+GSfHWZKlwQVXV+91iF8f/kAf8eroQEBAAAAAAAAWrmPgUd1xwHJtPhknx1mS
NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_AUTH (0x00000003)
Lan Manager Response: C62B78EE5B398131FD14E384C1D469B1C9B4F8649F1D664A
Length: 24
Maxlen: 24
Offset: 96
NTLM Response: 9704155D5FBDD6217C7FF9007FC7ABA10101000000000000...
Length: 56
Maxlen: 56
Offset: 120
NTLMv2 Response: 9704155D5FBDD6217C7FF9007FC7ABA10101000000000000...
HMAC: 9704155D5FBDD6217C7FF9007FC7ABA1
Header: 0x00000101
Reserved: 0x00000000
Time: Apr 2, 2007 18:53:58.015625000
Client challenge: C9B4F8649F1D664A
Unknown: 0x00000000
Name: NetBIOS domain name, NULL
Name type: NetBIOS domain name (2)
Name len: 0
Name: End of list
Name type: End of list (0)
Name len: 0
Domain name: DOMAINE_AD
Length: 10
Maxlen: 10
Offset: 72
User name: COMPTE_UTILISATEUR
Length: 6
Maxlen: 6
Offset: 82
Host name: COMPTE_CLIENT_AD
Length: 8
Maxlen: 8
Offset: 88
Session Key: Empty
Flags: 0x02008205
0... .... .... .... .... .... .... .... = Negotiate 56: Not set
.0.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Not set
..0. .... .... .... .... .... .... .... = Negotiate 128: Not set
...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
.... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
.... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
.... ..1. .... .... .... .... .... .... = Negotiate 0x02000000: Set
.... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
.... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set
.... .... .0.. .... .... .... .... .... = Negotiate 0x00400000: Not set
.... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
.... .... ...0 .... .... .... .... .... = Negotiate 0x00100000: Not set
.... .... .... 0... .... .... .... .... = Negotiate NTLM2 key: Not set
.... .... .... .0.. .... .... .... .... = Negotiate Challenge Non NT Session Key: Not set
.... .... .... ..0. .... .... .... .... = Negotiate Challenge Accept Response: Not set
.... .... .... ...0 .... .... .... .... = Negotiate Challenge Init Response: Not set
.... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
.... .... .... .... .0.. .... .... .... = Negotiate This is Local Call: Not set
.... .... .... .... ..0. .... .... .... = Negotiate Workstation Supplied: Not set
.... .... .... .... ...0 .... .... .... = Negotiate Domain Supplied: Not set
.... .... .... .... .... 0... .... .... = Negotiate 0x00000800: Not set
.... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set
.... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
.... .... .... .... .... ...0 .... .... = Negotiate Netware: Not set
.... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
.... .... .... .... .... .... .0.. .... = Negotiate Datagram Style: Not set
.... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set
.... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set
.... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
.... .... .... .... .... .... .... .1.. = Request Target: Set
.... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set
.... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
Host: www.google.frrn
Proxy-Connection: Keep-Alive\r\n
Cookie: PREF=ID=4f2f24a992704cee:TM=1175527850:LM=1175527850:S=812IWxaYE95YFLBz\r\n
\r\n
Request: True.

2/ captures faites sur le DC

frame 1

SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Trans (0x25)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x08
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .0.. = Security Signatures: Security signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 2048
Process ID: 30341
User ID: 2049
Multiplex ID: 72
Trans Request (0x25)
Word Count (WCT): 16
Total Parameter Count: 0
Total Data Count: 306
Max Parameter Count: 0
Max Data Count: 4280
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 0
Parameter Offset: 82
Data Count: 306
Data Offset: 82
Setup Count: 2
Reserved: 00
Byte Count (BCC): 321
Transaction Name: \PIPE\
SMB Pipe Protocol
Function: TransactNmPipe (0x0026)
FID: 0x4000
DCE RPC
Version: 5
Version (minor): 0
Packet type: Request (0)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 306
Auth Length: 0
Call ID: 113
Alloc hint: 290
Context ID: 0
Opnum: 2
Microsoft Network Logon, NetrLogonSamLogon
Operation: NetrLogonSamLogon (2)
Server Handle: \\CONTROLEUR_DOMAINE
Referent ID: 0x00000001
Max Count: 10
Offset: 0
Actual Count: 10
Handle: \\CONTROLEUR_DOMAINE
Computer Name: COMPTE_PROXY_AD
Referent ID: 0x00000001
Max Count: 8
Offset: 0
Actual Count: 8
Computer Name: COMPTE_PROXY_AD
AUTHENTICATOR: credential
Referent ID: 0x00000001
Credential: F28802B8A20FA7CB
Timestamp: Apr 26, 2007 18:02:27.000000000
AUTHENTICATOR: return_authenticator
Referent ID: 0x00000001
Credential: 0000000000000000
Timestamp: Jan 1, 1970 01:00:00.000000000
Level: 2
LEVEL: LogonLevel COMPTE_UTILISATEUR
Level: 2
NETWORK_INFO: COMPTE_UTILISATEUR
Referent ID: 0x00000001
IDENTITY_INFO: COMPTE_UTILISATEUR
Domain: DOMAINE_AD
Length: 10
Size: 10
Character Array: DOMAINE_AD
Referent ID: 0x00000001
Max Count: 5
Offset: 0
Actual Count: 5
Domain: DOMAINE_AD
Param Ctrl: 0x00000000
Logon ID: 209933706518189
Acct Name: COMPTE_UTILISATEUR
Length: 6
Size: 6
Character Array: COMPTE_UTILISATEUR
Referent ID: 0x00000001
Max Count: 3
Offset: 0
Actual Count: 3
Acct Name: COMPTE_UTILISATEUR
Wkst Name: \\COMPTE_PROXY_AD
Length: 18
Size: 18
Character Array: \\COMPTE_PROXY_AD
Referent ID: 0x00000001
Max Count: 9
Offset: 0
Actual Count: 9
Wkst Name: \\COMPTE_PROXY_AD
Challenge: E74D12FC42604957
NT Chal resp
Length: 24
Size: 24
Byte Array
Referent ID: 0x00000001
Max Count: 24
Offset: 0
Actual Count: 24
NT Chal resp: EFEC165A5B36C14389D8EFCB510915824CAA7DDCA481E12D
LM Chal resp
Length: 0
Size: 0
(NULL pointer) Byte Array
Validation Level: 3

frame 2

SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 1
Time from request: 0.005523000 seconds
SMB Command: Trans (0x25)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .0.. = Security Signatures: Security signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 2048
Process ID: 30341
User ID: 2049
Multiplex ID: 72
Trans Response (0x25)
Word Count (WCT): 10
Total Parameter Count: 0
Total Data Count: 56
Reserved: 0000
Parameter Count: 0
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 56
Data Offset: 56
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 57
Padding: 00
SMB Pipe Protocol
Function: TransactNmPipe (0x0026)
FID: 0x4000
DCE RPC
Version: 5
Version (minor): 0
Packet type: Response (2)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 56
Auth Length: 0
Call ID: 113
Alloc hint: 32
Context ID: 0
Cancel count: 0
Opnum: 2
Request in frame: 1
Time from request: 0.005523000 seconds
Microsoft Network Logon, NetrLogonSamLogon
Operation: NetrLogonSamLogon (2)
AUTHENTICATOR: return_authenticator
Referent ID: 0x0010e8b0
Credential: D5428CD1BAB10ECA
Timestamp: Jan 1, 1970 01:00:00.000000000
VALIDATION:
Validation Level: 3
(NULL pointer) VALIDATION_SAM_INFO2:
Authoritative: 1
Return code: STATUS_WRONG_PASSWORD (0xc000006a)

frame 3

SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Trans (0x25)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x08
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .0.. = Security Signatures: Security signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 2048
Process ID: 30341
User ID: 2049
Multiplex ID: 73
Trans Request (0x25)
Word Count (WCT): 16
Total Parameter Count: 0
Total Data Count: 306
Max Parameter Count: 0
Max Data Count: 4280
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 0
Parameter Offset: 82
Data Count: 306
Data Offset: 82
Setup Count: 2
Reserved: 00
Byte Count (BCC): 321
Transaction Name: \PIPE\
SMB Pipe Protocol
Function: TransactNmPipe (0x0026)
FID: 0x4000
DCE RPC
Version: 5
Version (minor): 0
Packet type: Request (0)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 306
Auth Length: 0
Call ID: 114
Alloc hint: 290
Context ID: 0
Opnum: 2
Microsoft Network Logon, NetrLogonSamLogon
Operation: NetrLogonSamLogon (2)
Server Handle: \\CONTROLEUR_DOMAINE
Referent ID: 0x00000001
Max Count: 10
Offset: 0
Actual Count: 10
Handle: \\CONTROLEUR_DOMAINE
Computer Name: COMPTE_PROXY_AD
Referent ID: 0x00000001
Max Count: 8
Offset: 0
Actual Count: 8
Computer Name: COMPTE_PROXY_AD
AUTHENTICATOR: credential
Referent ID: 0x00000001
Credential: 9FE6E4F30A46DD2F
Timestamp: Apr 26, 2007 18:02:27.000000000
AUTHENTICATOR: return_authenticator
Referent ID: 0x00000001
Credential: 0000000000000000
Timestamp: Jan 1, 1970 01:00:00.000000000
Level: 2
LEVEL: LogonLevel COMPTE_UTILISATEUR
Level: 2
NETWORK_INFO: COMPTE_UTILISATEUR
Referent ID: 0x00000001
IDENTITY_INFO: COMPTE_UTILISATEUR
Domain: DOMAINE_AD
Length: 10
Size: 10
Character Array: DOMAINE_AD
Referent ID: 0x00000001
Max Count: 5
Offset: 0
Actual Count: 5
Domain: DOMAINE_AD
Param Ctrl: 0x00000000
Logon ID: 209933706518189
Acct Name: COMPTE_UTILISATEUR
Length: 6
Size: 6
Character Array: COMPTE_UTILISATEUR
Referent ID: 0x00000001
Max Count: 3
Offset: 0
Actual Count: 3
Acct Name: COMPTE_UTILISATEUR
Wkst Name: \\COMPTE_PROXY_AD
Length: 18
Size: 18
Character Array: \\COMPTE_PROXY_AD
Referent ID: 0x00000001
Max Count: 9
Offset: 0
Actual Count: 9
Wkst Name: \\COMPTE_PROXY_AD
Challenge: E74D12FC42604957
NT Chal resp
Length: 0
Size: 0
(NULL pointer) Byte Array
LM Chal resp: EFEC165A5B36C14389D8EFCB510915824CAA7DDCA481E12D
Length: 24
Size: 24
Byte Array: EFEC165A5B36C14389D8EFCB510915824CAA7DDCA481E12D
Referent ID: 0x00000001
Max Count: 24
Offset: 0
Actual Count: 24
LM Chal resp: EFEC165A5B36C14389D8EFCB510915824CAA7DDCA481E12D
Validation Level: 3

frame 4

SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 3
Time from request: 0.001900000 seconds
SMB Command: Trans (0x25)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .0.. = Security Signatures: Security signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 2048
Process ID: 30341
User ID: 2049
Multiplex ID: 73
Trans Response (0x25)
Word Count (WCT): 10
Total Parameter Count: 0
Total Data Count: 372
Reserved: 0000
Parameter Count: 0
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 372
Data Offset: 56
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 373
Padding: 00
SMB Pipe Protocol
Function: TransactNmPipe (0x0026)
FID: 0x4000
DCE RPC
Version: 5
Version (minor): 0
Packet type: Response (2)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 372
Auth Length: 0
Call ID: 114
Alloc hint: 348
Context ID: 0
Cancel count: 0
Opnum: 2
Request in frame: 3
Time from request: 0.001900000 seconds
Microsoft Network Logon, NetrLogonSamLogon
Operation: NetrLogonSamLogon (2)
AUTHENTICATOR: return_authenticator
Referent ID: 0x000fa8f0
Credential: BC5D1D9911C6E88E
Timestamp: Jan 1, 1970 01:00:00.000000000
VALIDATION:
Validation Level: 3
VALIDATION_SAM_INFO2:
Referent ID: 0x000f69a0
Logon Time: Apr 26, 2007 17:53:35.093750000
Logoff Time: Infinity (absolute time)
Kickoff Time: Infinity (absolute time)
PWD Last Set: Apr 26, 2007 17:26:34.562500000
PWD Can Change: Apr 26, 2007 17:26:34.562500000
PWD Must Change: Jul 25, 2007 17:26:34.562500000
Acct Name: COMPTE_UTILISATEUR
Length: 6
Size: 8
Character Array: COMPTE_UTILISATEUR
Referent ID: 0x000f6a8c
Max Count: 4
Offset: 0
Actual Count: 3
Acct Name: COMPTE_UTILISATEUR
Full Name
Length: 0
Size: 0
(NULL pointer) Character Array
Logon Script
Length: 0
Size: 0
(NULL pointer) Character Array
Profile Path
Length: 0
Size: 0
(NULL pointer) Character Array
Home Dir
Length: 0
Size: 0
(NULL pointer) Character Array
Dir Drive
Length: 0
Size: 0
(NULL pointer) Character Array
Logon Count: 63
Bad PW Count: 1
User RID: 1119
Group RID: 513
Num RIDs: 1
GROUP_MEMBERSHIP_ARRAY
Referent ID: 0x000f6a6c
Max Count: 1
GROUP_MEMBERSHIP:
Group RID: 513
Attributes: 0x00000007
.... .... .... .... .... .... .... .1.. = Enabled: The enabled bit is SET
.... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET
.... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET
User Flags: 0x00000120
.... .... .... .... .... ..0. .... .... = Resource Groups: The resource_groups is NOT set
.... .... .... .... .... .... ..1. .... = Extra SIDs: The EXTRA_SIDS bit is SET
User Session Key: 82EA59FAEC1598C1D14B07A60CE251AD
Server: CONTROLEUR_DOMAINE
Length: 14
Size: 16
Character Array: CONTROLEUR_DOMAINE
Referent ID: 0x000f6a94
Max Count: 8
Offset: 0
Actual Count: 7
Server: CONTROLEUR_DOMAINE
Domain: DOMAINE_AD
Length: 10
Size: 12
Character Array: DOMAINE_AD
Referent ID: 0x000f6aa4
Max Count: 6
Offset: 0
Actual Count: 5
Domain: DOMAINE_AD
SID pointer:
SID pointer
Referent ID: 0x000f6a74
Count: 4
Domain SID: S-1-5-21-2025429265-220523388-1417001333
Revision: 1
Num Auth: 4
Authority: 5
Sub-authorities: 21-2025429265-220523388-1417001333
Unknown long: 0xfa59ea82
Unknown long: 0xc19815ec
User Account Control: 0x00000010
.... .... .... ...0 .... .... .... .... = Dont Require PreAuth: This account REQUIRES preauthentication
.... .... .... .... 0... .... .... .... = Use DES Key Only: This account does NOT have to use_des_key_only
.... .... .... .... .0.. .... .... .... = Not Delegated: This might have been delegated
.... .... .... .... ..0. .... .... .... = Trusted For Delegation: This account is NOT trusted_for_delegation
.... .... .... .... ...0 .... .... .... = SmartCard Required: This account does NOT require_smartcard to authenticate
.... .... .... .... .... 0... .... .... = Encrypted Text Password Allowed: This account does NOT allow encrypted_text_password
.... .... .... .... .... .0.. .... .... = Account Auto Locked: This account is NOT auto_locked
.... .... .... .... .... ..0. .... .... = Dont Expire Password: This account might expire_passwords
.... .... .... .... .... ...0 .... .... = Server Trust Account: This account is NOT a server_trust_account
.... .... .... .... .... .... 0... .... = Workstation Trust Account: This account is NOT a workstation_trust_account
.... .... .... .... .... .... .0.. .... = Interdomain trust Account: This account is NOT an interdomain_trust_account
.... .... .... .... .... .... ..0. .... = MNS Logon Account: This account is NOT a mns_logon_account
.... .... .... .... .... .... ...1 .... = Normal Account: This account is a NORMAL_ACCOUNT
.... .... .... .... .... .... .... 0... = Temp Duplicate Account: This account is NOT a temp_duplicate_account
.... .... .... .... .... .... .... .0.. = Password Not Required: This account REQUIRES a password
.... .... .... .... .... .... .... ..0. = Home Directory Required: This account does NOT require_home_directory
.... .... .... .... .... .... .... ...0 = Account Disabled: This account is NOT disabled
Unknown long: 0x00000000
Unknown long: 0x00000000
Unknown long: 0x00000000
Unknown long: 0x00000000
Unknown long: 0x00000000
Unknown long: 0x00000000
Unknown long: 0x00000000
Num Other Groups: 0
(NULL pointer) SID_AND_ATTRIBUTES_ARRAY:
Authoritative: 1
Return code: STATUS_SUCCESS (0x00000000)

Les informations suivantes sont :
COMPTE_UTILISATEUR = login du client XP
COMPTE_CLIENT_AD = compte machine client XP dans l'AD
COMPTE_PROXY_AD = compte machine du proxy dans l'AD
CONTROLEUR_DOMAINE = contrôleur utilisé dans l'établissement du lien avec l'AD sur le proxy
DOMAINE_AD = nom Netbios du domaine AD

Sauriez-vous m'indiquer les points suivants :
- version du protocole utilisé dans l'authentification du client XP sur le proxy : LM, NTLM, NTLMv2
- version du protocole utilisé dans l'authentification du client utilisateur par le DC via le proxy : LM, NTLM, NTLMv2
- pourquoi l'authentification du client via le proxy échoue toujours une première fois, puis est réussi en basculant sur un hash LM?

informations supplémentaires :
- le HASH LM n'est pas stocké sur le PC
- mots de passe > 14 caractères
- authentification transparente de l'utilisateur (pas de saisie de login/mdp)

Avez-vous des informations, recommandations ou autre me permettant de faire du NTLM minimum entre le client XP et le DC via le proxy?

Merci

Publicité

Krapaud

Modérateur

Je précise au cas où les informations suivantes :
1/ capture sur le PC client

frame 1 : source XP - destination proxy
frame 2 : source proxy - destination XP
frame 3 : source XP - destination proxy
frame 4 : source proxy - destination XP
frame 5 : source XP - destination proxy

2/ capture sur le DC

frame 1 : source proxy - destination DC
frame 2 : source DC - destination PROXY
frame 3 : source proxy - destination DC
frame 4 : source DC - destination PROXY

FORUM HardWare.fr

Systèmes & Réseaux Pro

Infrastructures serveurs

[lm/ntlm/ntlmv2] - proxy http

Sujets relatifs
Boitier UTM et proxy	Bloquer les messageries instantanées (HTTP/HTTPS) en entreprise
Utilité d'un proxy sur les connexions https (port 443)	ntlmaps + putty + squid = passer un proxy/firewall ISA ?
Interdire la désactivation du proxy par GPO
Plus de sujets relatifs à : [lm/ntlm/ntlmv2] - proxy http

Page générée en 0.073 secondes