NT Subject to User Session Key Resuse

NT Subject to User Session Key Resuse
Reported June 5 by
Luke Kenneth Casson Leighton

Windows NT 4.0


When an administrator uses USRMGR.EXE or SRVMGR.EXE to remote add users or workstations to a domain, or changes a user"s password, the tool sends an encrypted 516-byte password block over the network. The data block can be intercepted and systematically taken apart to reveal a User Session Key, which can then be used decrypt further communication intercepted between the administrator and the domain controllers. For example, if an administrator changes a user"s password remotely, that password could be decrypted to reveal the clear text version using the captured User Session Key.


Microsoft is aware of this matter, however no response was known at the time of this writing.

Discovered and reported by Luke Kenneth Casson Leighton

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.