验证NT和LM哈希对Active Directory [英] Validate NT and LM hashes against Active Directory

问题描述

我正在写的Web应用程序使用NTLM身份验证协议的用户。

I'm writing web-application authenticating user using NTLM protocol.

我已经成功地得到密码的NT和LM哈希客户端。我如何可以验证他们对Active Directory，以确保密码是否正确。

I have successfully get password's NT and LM hashes from client. How I can validate them against Active Directory to ensure that password is correct.

我使用C＃，但我认为这将可以让我打电话给本地库也是如此。

I'm using C#, but I think it will be possible for me to call native library as well.

修改：我看不出原因下投票。 NTLM（V2）协议已经过时所以真的很难找到关于如何处理相关的信息。特别是从在这样一个现代化的语言为C＃。

EDIT: I don't see reason for down-votes. NTLM(v2) protocol is outdated so it's really hard to find relative information on how to handle it. Especially from within such a modern language as C#.

但我发现两种可能的方法：

But I have found two possible approaches:

• 使用的Windows的本地SSPI电话（不建议使用微软），但是可以通过适当的包装。幸运的是，有一个例子： http://pinvoke.net/default.aspx/secur32/ InitializeSecurityContext.html 的这种做法似乎是工作。我能够验证帐户。但一些问题依然存在，依然。如转让有关客户的HTTP请求的服务器的安全上下文的信息，请拨打不安全code和不可能在其他系统上进行这样的操作。
通过 System.Net.Security.NegotiateStream 完成
• 在试图展开通话。这个想法是好的，但不知道如何实现这一目标。

• use of Windows' native SSPI calls (not recommended by Microsoft), but it's possible with proper wrapping. Lucky, there is an example: http://pinvoke.net/default.aspx/secur32/InitializeSecurityContext.html This approach seems to be working. I was able to verify account. But some questions remain, still. Such as transferring information about server's security context between clients' HTTP requests, call to unsafe code and impossibility to perform such operations on other systems.
• Trying unwrap calls done via System.Net.Security.NegotiateStream. The idea is nice, but no clue how to achieve this.

推荐答案

我会强烈建议你做一些研究 - 读了的文件从回答你的<一个 href="http://stackoverflow.com/questions/13805704/c-sharp-helper-classes-to-implement-ntlm-authorization/">other问题将是一个良好的开端 - 在此之前的问题收集更多的向下票

I would strongly recommend you to do some research - reading the that document from the answer to your other question would be a good start - before this question collects more down-votes.

你想实现什么 - 密码验证 - 是安全敏感的，这意味着它正确地理解底层技术和现代安全理念的重要

What you're trying to implement - password validation - is security sensitive which means that it's important to properly understand the underlying technology and modern security concepts.

现代的安全体系结构的一个重要的设计方面是抵抗所谓的重放攻击：prevent人谁是偷听从记录的验证挑战，并在稍后时间重播它的客户端和服务器之间的连接

One important design aspect of modern security architectures is being resistant against so-called replay attacks: prevent someone who's eavesdropping on the connection between client and server from recording the authentication challenge and replaying it at a later time.

NTLMv2身份/ NTLMv2会话使用了这项技术 - 传统的NT / LM（这是非常鼓励这些天）不

NTLMv2 / NTLMv2 Session uses this technique - legacy NT/LM (which is highly discouraged these days) does not.

您只是不能把客户的反应有些挑战是的您的产生和传递一个一些工具进行验证 - 因为这将彻底丧失重放攻击性的目的：如何将这项你和乔黑客谁或者记录，你得到的回应或产生的工具区分自己的？

You just can't take the client's response to some challenge that you generated and pass it one to some tool for validation - as this would completely forfeit to purpose of replay attack resistance: how would that tool distinguish between you and Joe Hacker who either recorded the response that you get or generated his own?

该方法是如何工作的是，多数民众赞成验证密码（即Active Directory）的实体产生的挑战，而不是要验证其用户的Web服务器。

The way how this works is that the entity that's validating the password (ie. Active Directory) generates the challenge, not the web server that wants to authenticate its users.

请，没有实现传统的NT / LM在你的Web服务器，并称之为安全 - 它会，其实，只给你很少的保护了以纯文本形式发送密码 - 这真是小巫见大巫，快速打破采用当今现代硬件的所谓的加密。阅读达文波特的文件，它列出了问题，与传统的NT / LM。

Please, don't implement legacy NT/LM in your web server and call that "security" - it will, in fact, only give you very little protection over sending the password in plain text - it is really trivial and fast to break the so-called "encryption" using today's modern hardware. Read that davenport document, it lists the problems with legacy NT/LM.

如果你真的想NTLM（它的更安全的版本），还有，你可以使用一些外部的辅助程序。比如看桑巴，Apache和鱿鱼。 Squid使用一些外部工具来处理NTLM我认为这是基于Samba的工具。

If you really want NTLM (the more secure version of it), there are some external helper programs that you can use. For instance look at Samba, Apache and Squid. Squid uses some external tool to handle NTLM which I think is based on Samba's tool.

使用多数民众赞成积极维护，如Samba的同时也意味着你将得到安全更新，因为如果你写你自己的，这不只是写在code，它也需要保持一个外部的工具，你需要注意安全问题和解决这些问题。

Using an external tool that's actively maintained such as Samba's also means that you'll get security updates because if you write your own, it's not just about writing the code, it also needs to be maintained, you need to watch out for security problems and fix them.

这篇关于验证NT和LM哈希对Active Directory的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！