17

I need to implement a virtual filesystem that will be accessed as a Windows share.

It seems Alfresco JLan is doing the job. So far, I have some promising results starting from this answer: How to setup alfresco jlan file server as a standalone java package?

Now, I can't seem to actually authenticate. My dummy implementation always succeeds, but as soon as I try to validate the password, it just fails.

Some information:

  • It runs on a windows machine with port 445 not being used by Windows itself (Server services disabled etc.)
  • From same Windows 10 client, it seems JLan sees it as ntlmv1 authentication, which looks strange to me (I'd at least expect ntlmv2). alg == NTLM1 in JLan's CifsAuthenticator::validatePassword.
  • It seems the encrypted used password is 74 bytes, vs the 24 it expects, and it fails at that.
  • Had to remove CryptixCrypto that doesn't seem to exist anymore, and replaced getInstance("MD4") by MD4.getInstance() in JLan, as it seems to be the way to go on modern Java platforms (MD4 is not registered by default, as documented in MD4 class itself).

How can I check my password again some plain-text one?

ymajoros
  • 2,220
  • 3
  • 30
  • 56
  • 1
    Not sure I can provide much help, but I would suggest that the first curiosity to explore is why JLan (which I know nothing about) sees your Win10 box as NTLM1. Unless you've specifically disabled later versions of it, W10 should be negotiating the later version by default. I'd also wonder about any assumptions JLan makes about the connection itself, eg signed, secured, etc (SMB rules). As I said, not much direct help, but some suggestions of where to look. Lastly, you might peruse some of the SAMBA project's work in this area to see if any similar issues on that side might inspire some ideas – David W Oct 19 '16 at 13:11
  • 2
    Do you receive any errors when authenticating? Can you perhaps share your customizations on GitHub? – MojoJojo Oct 20 '16 at 01:47
  • @DavidW didn't disable or force anything, and I'm not sure whether it's really trying to do NTLM1 auth or if it's just jlan that gets it like this. I did try to google all of that, but didn't come up with something useful yet. Thanks for your input anyway. – ymajoros Oct 21 '16 at 12:01
  • @MojoJojo https://github.com/Valuya/javadance . It just pretends that authentication failed, and putting breakpoints, I can see that it expectes a 24 bytes hash when it's really 74. – ymajoros Oct 21 '16 at 12:03
  • Isn't there part of OLD NTLM that expects a 24-byte padded hash? If so, could it be that 74-byte value hasn't been hashed correctly? – David W Oct 21 '16 at 22:16
  • @DavidW sure, looking for something like that – ymajoros Oct 22 '16 at 14:36
  • 1
    Is there any reason why you're not using JCIFS? JCIFS is and has always been the defacto Java implementation of SMB. I don't think that alfresco thing every really took off. – squarewav Jan 02 '17 at 19:25
  • I would look directly on those SMB packets, can you share a PCAP file? – stuchl4n3k Nov 28 '18 at 10:04
  • @squarewav JCIFS is a client library. I needed a server lib. – ymajoros Jan 02 '19 at 13:55
  • From ancient memory cells, I recall something about NTLMv1 challenge responses in NTLMv2 session protocol (this is more secure than NTLMv1 by itself). On the client side there are some forced minimum settings. In LocalSecurityPolicy, see 'Network Security: minimum session security for NTLM SSP based clients'. –  Aug 15 '19 at 03:39

0 Answers0