sspi-rs icon indicating copy to clipboard operation
sspi-rs copied to clipboard
verified publisher icon Devolutions

NTLM hash authentication?

Open phughesion-h3 opened this issue 4 months ago • 6 comments

Samba's smbclient allows the user to use the --pw-nt-hash flag to provide the nt-hash of the user for authentication instead of just the username and password. Is this possible with this library, and/or how difficult would it be to implement this as a feature?

https://www.samba.org/samba/docs/current/man-html/smbclient.1.html

phughesion-h3 avatar Jul 25 '25 13:07 phughesion-h3

Hi, @phughesion-h3

I did a little research. As I understand, the --pw-nt-hash feature is not an official Microsoft SSPI feature and is implemented only by Samba's smbclient.

Is this possible with this library, and/or how difficult would it be to implement this as a feature?

Currently, it is not possible, and we do not plan to implement it. The sspi-rs tries to behave as Microsoft SSPI as closely as possible.

I am not saying that it is impossible to implement. I am saying that it does not align with our goals.

@CBenoit, what do you think?

TheBestTvarynka avatar Jul 28 '25 09:07 TheBestTvarynka

I think we would be happy to support more of Samba, although that’s not our current priority. I remember that @awakecoding @thenextman expressed interested into Samba, and someone actually implemented a Samba client crate using sspi-rs: https://github.com/avivnaaman/smb-rs So, if the extension is simple, we may consider implementing it, but maybe behind a smb feature flag?

In this case however, as I understand it, it seems to be more of an library API thing, rather than an extension to the protocol itself: an API to directly pass the nt-hash instead of letting the library handling its generation, so it does not even need to be behind a feature flag. Am I correct?

CBenoit avatar Jul 28 '25 11:07 CBenoit

As far I know there is no proper way to do this in the original Windows SSPI API, but I implemented a hack in WinPR SSPI a while back to pass the NTLM hash for the FreeRDP pass-the-hash (/pth) option that works with the RDP restricted admin mode. I guess the main question is, if we are to do it, what kind of hack do we use to pass the NTLM hash instead of the credentials? I'm not against it, we just need to settle on a least problematic way to do it

awakecoding avatar Jul 28 '25 11:07 awakecoding

directly pass the nt-hash instead of letting the library handling its generation, so it does not even need to be behind a feature flag. Am I correct?

Theoretically, it should be possible, but it is better to test it in a real environment. The AuthIdentity uses String for password. It may cause problems with the hash encoding/storing.

what kind of hack do we use to pass the NTLM hash instead of the credentials? I'm not against it, we just need to settle on a least problematic way to do it

At this point, I can think of two possible ways:

  1. Add a custom ClientRequestFlags::NT_HASH flag and check if it is present inside the NTLM implementation.
  2. Use environment variable (something like SSPI_NT_HASH=1).

TheBestTvarynka avatar Jul 28 '25 12:07 TheBestTvarynka

I think we should make it an optional feature. I just checked and in FreeRDP/WinPR the hack is to use a length over 512, where the extra is the hash length - this is hackish and I wouldn't recommend it. If I were to do it again, I think the best approach would be to pass the hash inside the password field with a known prefix unlikely to collide with a real password:

Option 1: NTLM:aad3b435b51404eeaad3b435b51404ee Option 2: $NTLM$aad3b435b51404eeaad3b435b51404ee

any preferences?

awakecoding avatar Jul 28 '25 12:07 awakecoding

I think we would be happy to support more of Samba, although that’s not our current priority. I remember that @awakecoding @thenextman expressed interested into Samba, and someone actually implemented a Samba client crate using sspi-rs: https://github.com/avivnaaman/smb-rs So, if the extension is simple, we may consider implementing it, but maybe behind a smb feature flag?

In this case however, as I understand it, it seems to be more of an library API thing, rather than an extension to the protocol itself: an API to directly pass the nt-hash instead of letting the library handling its generation, so it does not even need to be behind a feature flag. Am I correct?

Yes my use case is exactly that, if this library can support passing the nt-hash for authentication, then smb-rs (which uses this library) can also implement it. https://github.com/AvivNaaman/smb-rs/issues/100

@awakecoding I have no preference on how exactly the nt hash is accepted.

phughesion-h3 avatar Jul 28 '25 14:07 phughesion-h3