Re: smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Matthias Nagel wrote: Hi Phil, Probably a fairly trivial patch if you feel like it ;o) I had a quick glace at the source code and I found two files named smbencrypt.c. If you give me a hint, which is the correct file to start with, I will brosw the source code from that point and see what I can do. But probably not before next month. Please check src/modules/rlm_mschap/smbencrypt.c The main issue is that there is *no* character set information in the MS-CHAP calculations. The character set could be UTF-8, or any non-standard 16-bit encoding. So the calculation of the NT hash will depend on the character set... which is largely secret. This makes it very difficult to create the *correct* NT hash. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smbencrypt calculates false hash for German umlauts and other non-ASCII letters
On 7 Sep 2013, at 16:43, Alan DeKok al...@deployingradius.com wrote: Matthias Nagel wrote: Hi Phil, Probably a fairly trivial patch if you feel like it ;o) I had a quick glace at the source code and I found two files named smbencrypt.c. If you give me a hint, which is the correct file to start with, I will brosw the source code from that point and see what I can do. But probably not before next month. Please check src/modules/rlm_mschap/smbencrypt.c The main issue is that there is *no* character set information in the MS-CHAP calculations. The character set could be UTF-8, or any non-standard 16-bit encoding. So the calculation of the NT hash will depend on the character set... which is largely secret. This makes it very difficult to create the *correct* NT hash. Can't we assume src as UTF8 for NAI (RFC4282)? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Arran Cudbard-Bell wrote: Can't we assume src as UTF8 for NAI (RFC4282)? Ha, ha, ha, ha cough. 4282 is wrong. And no one implements any of it. The MS-CHAP RFCs are silent on the subject of character encoding. The unofficial word from Microsoft is MS-CHAP uses the local encoding. Ok... what's that? hysterical laughter No one knows. And there's no way to find out. And UTF-8 uses up to 5 octets for a character. MS-CHAP requires no more than 2. There is *no* way to do the right thing. You can get close. Sometimes. Maybe. But doing the right thing always? Impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Re: smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Sorry, my mail program tricked me and used the wrong destination address. -- Weitergeleitete Nachricht -- Betreff: Re: smbencrypt calculates false hash for German umlauts andother non-ASCII letters Datum: Samstag 07 September 2013, 19:13:17 Von: Matthias Nagel matthias.h.na...@gmail.com An: Alan DeKok al...@deployingradius.com Hello everybody, as it was me who came up with the issue. The password must be encoded as UTF-16 in little endian and then the MD4 is calculated. For example: Assume one uses smbencrypt from command line interface in order to calculate the hash. The linux console is set up to use en-US.utf8. Then, at first a character encoding into UTF-16 little endian is necessary, and in a second step the MD4 hash can be calculated. Matthias Am Samstag 07 September 2013, 12:10:38 schrieben Sie: Arran Cudbard-Bell wrote: Can't we assume src as UTF8 for NAI (RFC4282)? Ha, ha, ha, ha cough. 4282 is wrong. And no one implements any of it. The MS-CHAP RFCs are silent on the subject of character encoding. The unofficial word from Microsoft is MS-CHAP uses the local encoding. Ok... what's that? hysterical laughter No one knows. And there's no way to find out. And UTF-8 uses up to 5 octets for a character. MS-CHAP requires no more than 2. There is *no* way to do the right thing. You can get close. Sometimes. Maybe. But doing the right thing always? Impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Hello, if a do a smbencrypt ä then the output for the NT hash is B5CF5E386433C7CB69E43ED774717792 but the correct hash would be 3104EAB484D59EFABCEA2C44B07F41D3. (If you do not see the letter: It is a small a with two dots, unicode code point 00E4.) Similar results hold for other umlauts, too. My Freeradius version is 2.2.0 running on Linux 3.8.13 with system locale set to en_US.utf8. I wrote an own utitly to calculate NT hashes to fill the Radius database. While I compared the results of my own utility with those from smbencrypt, I found these discrepancies. In order to check which result was the correct one, I took a Windows computer, added a dummy user to it and set the passwords in concern. Then I extracted the NT hashes from the SAM database. One note of caution: If you take a web site like http://www.onlinehashcrack.com/hash-calculator.php, do not trust it. If it comes to non-ASCII letters the output is false, too. Matthias -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Matthias Nagel matthias.h.na...@gmail.com wrote: Hello, if a do a smbencrypt ä then the output for the NT hash is B5CF5E386433C7CB69E43ED774717792 but the correct hash would be 3104EAB484D59EFABCEA2C44B07F41D3. (If you do not see the letter: It is a small a with two dots, unicode code point 00E4.) Similar results hold for other umlauts, too. My Freeradius version is 2.2.0 running on Linux 3.8.13 with system locale set to en_US.utf8. I wrote an own utitly to calculate NT hashes to fill the Radius database. While I compared the results of my own utility with those from smbencrypt, I found these discrepancies. In order to check which result was the correct one, I took a Windows computer, added a dummy user to it and set the passwords in concern. Then I extracted the NT hashes from the SAM database. One note of caution: If you take a web site like http://www.onlinehashcrack.com/hash-calculator.php, do not trust it. If it comes to non-ASCII letters the output is false, too. Matthias -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Almost certainly. Nt hashes are the 16-bit encoding, and smbencrypt likely treats each byte in the utf8 encoding as on ASCII char and pads it to 16 bits. I made some effort to handle this in the mschap password change code, but really the server should probably pull in libiconv for the few places this is needed (such as calculating correct nt hashes). Probably a fairly trivial patch if you feel like it ;o) -- Sent from my phone with, please excuse brevity and typos- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Hi Phil, Probably a fairly trivial patch if you feel like it ;o) I had a quick glace at the source code and I found two files named smbencrypt.c. If you give me a hint, which is the correct file to start with, I will brosw the source code from that point and see what I can do. But probably not before next month. Matthias Am Sonntag 18 August 2013, 17:44:46 schrieb Phil Mayers: Matthias Nagel matthias.h.na...@gmail.com wrote: Hello, if a do a smbencrypt ä then the output for the NT hash is B5CF5E386433C7CB69E43ED774717792 but the correct hash would be 3104EAB484D59EFABCEA2C44B07F41D3. (If you do not see the letter: It is a small a with two dots, unicode code point 00E4.) Similar results hold for other umlauts, too. My Freeradius version is 2.2.0 running on Linux 3.8.13 with system locale set to en_US.utf8. I wrote an own utitly to calculate NT hashes to fill the Radius database. While I compared the results of my own utility with those from smbencrypt, I found these discrepancies. In order to check which result was the correct one, I took a Windows computer, added a dummy user to it and set the passwords in concern. Then I extracted the NT hashes from the SAM database. One note of caution: If you take a web site like http://www.onlinehashcrack.com/hash-calculator.php, do not trust it. If it comes to non-ASCII letters the output is false, too. Matthias -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Almost certainly. Nt hashes are the 16-bit encoding, and smbencrypt likely treats each byte in the utf8 encoding as on ASCII char and pads it to 16 bits. I made some effort to handle this in the mschap password change code, but really the server should probably pull in libiconv for the few places this is needed (such as calculating correct nt hashes). Probably a fairly trivial patch if you feel like it ;o) -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html