Bugtraq mailing list archives
Re: NT4.0 SP3 Still vulnerable
From: pokee () MAXWELL EE WASHINGTON EDU (Aaron Spangler)
Date: Fri, 16 May 1997 09:41:32 PDT
From: "Rubens Kuhl Jr." <rkuhljr () pueridomus br> To: "Aaron Spangler" <pokee () MAXWELL EE WASHINGTON EDU>, <BUGTRAQ () NETSPACE ORG> Subject: Re: NT4.0 SP3 Still vulnerable Date: Thu, 15 May 1997 22:15:43 -0300 As far as I know, IE 3.02 corrected only sending NTLM logins thru HTTP connections, and I suppose you are talking about capturing username/password hashes sent via SMB/CIFS (file://aaa.bbb.ccc.ddd).
I have a second site setup to grab usernames/password hashes via NTLM over HTTP. IE 3.02 is STILL NOT IMMUNE TO THIS. (Paul Ashton's Bug)
I'm still downloading SP3, but after a look at the readme it looked me that SP3 could empower a administrator to fix such bug by enabling the SMB signing feature; it would not fix it at installation.
Not True, Take a look at ftp://ftp.microsoft.com/developr/drg/CIFS/CIFS-Auth.doc Even Message Signing does NOT help in this case. The client still sends the password before message signing starts. This is because the Password is the "Key" used for message signing! Rogue servers can still grab password hashes the same old way!
And with or without SP3, filtering routers blocking 135/137/138/139 ports make this exploit and similar ones limited to Intranets.
Even if you block ports 135/137/138/139, NTLM of HTTP is STILL VULNERABLE because it is over port 80! (the HTTP port)
Hasn't one exploit code been released to SAMBA-DIGEST ? It captures the password hashes, which someone could pass to l0phtcrack and similar crackers.
It might be. I have not read it yet. Although one important thing to note that in order to use l0phtcrack or NTcrack or Crack50-NT, one needs to modify the code because the password grabbed from NTML over HTTP or the password grabbed from SMB (CIFS) is DOUBLY encrypted. Although I have written a cracker which I suspect is similiar to Crack50-NT's speed because I have some speedups of having to do only one Crypt and then a table lookup to break most of the doubly encrypted LM hash.
Other exploits such as real-time password cracking hasn't been released, but I'm not sure if such release would make Microsoft go faster.
I do have one, but I am not going to post the URL, or my web server will be overloaded. If anyone is interested in this, send me email and I will give you the URL.
I think that's why BugTraq exists. Rubens Kuhl Jr.
What would we do without BugTraq? Thanks, - Aaron -- Aaron Spangler EE Unix System Administrator Electrical Engineering FT-10 pokee () ee washington edu University of Washington Phone (206) 543-8984 Box 352500 or (206) 543-2523 Seattle, WA 98195-2500 Fax (206) 543-3842
Current thread:
- Re: NT4.0 SP3 Still vulnerable Rubens Kuhl Jr. (May 15)
- <Possible follow-ups>
- Re: NT4.0 SP3 Still vulnerable Aaron Spangler (May 16)
- Re: NT4.0 SP3 Still vulnerable Russ (May 16)
- Re: NT4.0 SP3 Still vulnerable Aaron Spangler (May 16)